Meet the Atlanta Cyber Week Influencers: NTSC Executive Director Patrick Gaul Discusses Why It’s Time for the U.S. to Lower the Excessive Costs of Data Breach Notification

By Patrick Gaul, Executive Director, National Technology Security Coalition

According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the global cost of a data breach went down by ten percent over the last year. The reason? Global companies are improving information security best practices like incident response, encryption and employee training to help proactively prevent and mitigate risks that lead to data breaches.

So, if U.S. companies and organizations constantly improve information security best practices along with the rest of the world, they should experience the same overall decrease in costs. Right?

Wrong.

In the United States, data breach costs increased by five percent over the last year. Currently, the average cost of a data breach in the United States is $7.35 million – with the Middle East representing the second highest country/region at $4.94 million.

What’s the problem? While many data breach costs fluctuate across countries, regions, industries, type of incident and size of the breach, none of these factors alone explain the high increase in costs for U.S. companies – except data breach notification.

The Unusually High Costs of Data Breach Notification in the United States

The United States easily tops the list of the highest data breach notification costs in the world. Why?

  • Instead of one national data breach notification law, the United States currently enforces individual data breach notification laws for each of 48 states plus the Virgin Islands, Guam, Puerto Rico and the District of Columbia (Alabama and South Dakota currently do not have data breach notification laws).
  • Different industries require specific data breach notification requirements such as health care (HIPAA, HITECH), financial services (the Gramm-Leach-Bliley Act) or communications (FCC). Stringent regulations make health care and financial services data breaches more expensive than other industries.
  • A growing number of states like New York and Colorado are pushing new cybersecurity standards for the financial services industry – possibly setting a precedent for other states to come up with their own standards that will add even more data breach notification regulations to the mix.

When a data breach occurs, a U.S. organization must follow notification requirements for each state, territory and industry. Often, these laws are redundant but sometimes they conflict for illogical reasons. For example, 47 states require disclosing the cause of a breach, but Massachusetts explicitly says it’s against the law to say what caused the breach. Both contradictory laws must be followed by U.S. organizations.

Data breach notification is an expensive process, and the Ponemon study explains what these costs entail:

  • The creation of contact databases
  • A determination of all regulatory requirements
  • The engagement of outside experts
  • Postal expenditures
  • Email bounce-backs
  • Inbound communication setups

The more complicated the notification requirements, the higher the cost. So how did we get into this mess? And how do we get out of it?

Why We Need National Data Breach Notification Legislation

Many lawmakers know we need this legislation, but there are a lot of moving parts and pieces that make it difficult to craft. A Data Security and Breach Notification Act of 2015 was introduced in the Senate Commerce, Science and Transportation Committee but didn’t go any further. When businesses and privacy groups seemed too spooked, the efforts to create a law stalled.

To alleviate worries about lowering cybersecurity standards, some lawmakers have said they are in favor of taking the strictest state law and making that the national law. But the reverse argument also makes creating a law difficult. Certain states enjoy lower data breach notification standards and don’t want to make the process harder on companies that only operate within their state.

During the NTSC’s most recent DC Fly-In, lawmakers told us that additional challenges include:

  • Priority: Lawmakers have focused on the urgency of cybersecurity incidents related to Russia, national security and ransomware – along with robust health care debates and plenty of non-cybersecurity distractions.
  • A perception that a national data breach notification law is yet another regulation: On the surface, it appears as if a sweeping federal law would serve up a bloated, unneeded regulation that takes away states’ rights. Yet, a national data breach notification law lessens regulations – especially when organizations only report once rather than dozens of times to separate entities.
  • Preemption: Typically, preemption is a hard-fought battle for any law. In this case, attorneys general will want to retain their states’ data breach notification laws and fight against a federal law that may be perceived as unnecessarily strengthening or weakening cybersecurity protections.
  • Public concern and interest: Even if the arguments make sense, many lawmakers are reluctant to go to bat for a national data breach notification law if it only seems to impact business with little benefit for consumers. In other words, why should the public care?

These challenges show that any arguments for a national data breach notification law must acknowledge not only the problem of high costs to businesses but also acknowledge priority, perception, preemption and public concern.

The following reasons make the case.

Uniformity through one law

A national data breach notification law would eliminate a multitude of different laws by creating one law and set of standards. By agreeing upon one set of standards, the law will be clear and non-contradictory. Challenges to uniformity include agreement upon:

  • Definitions of key terms: For example, what is defined as personal data? What is a breach? What is the threshold for reporting a data breach? How many users?
  • Definition of standards: This is an area of contention, which is why some lawmakers offered to take the strictest state law and make that the standard.
  • Definition of access: What constitutes accessing data? This can be tricky, especially in cases where someone accesses encrypted data or honeypot data.
  • Definition of personal responsibility: This is another tricky area that’s complicated by the use of third parties, vendors that confidentially host customer data but may not know about the content, or bots that use servers and workstations at innocent companies to carry out attacks.

Predictability

Having one law and place to report a data breach makes compliance easier and more predictable for CISOs. Answering the following questions will lessen confusion and streamline the process for U.S. organizations:

  • What federal agency oversees the national data breach notification law? Uncertainty related to this question created some doubts in people’s minds when Congress last considered a law. Oversight is an important part of any national data breach notification process.
  • What federal agency regulates it? To avoid conflicts of interest and abuse of power, the agency overseeing the law will not be the agency that regulates it.
  • How do you deal with different kinds of companies? A nuclear power plant’s data breach notification process needs to be handled differently than a dry-cleaning business.
  • How do you account for third parties? Currently, states vary how they hold third parties accountable as part of data breach notification requirements – ranging from requiring the organization to train third parties to simply contractually obligating them to follow a set of best practices.

Non-Partisan, CISO-Driven NTSC Helping Articulate a Law

As a non-profit, non-partisan organization that serves as the preeminent advocacy voice for CISOs, the National Technology Security Coalition (NTSC) is uniquely poised to address national data breach notification legislation in a fresh, relevant way. Until the NTSC formed last year, the voice of the CISO was not well represented in Washington – and yet CISOs are often the ones most responsible for protecting American businesses and consumer information. They know firsthand the time, cost and frustration of too many data breach notification laws that seem more designed to please regulators rather than protect information in the best, most efficient way.

We’re overdue for a sensible national data breach notification law that removes unnecessary regulations, streamlines the notification process and lowers costs. Our active discussions on the Hill have included our May 2017 DC Fly-In where CISOs engaged in dialogue with House Representatives and Senators. Congressional representatives welcomed our arguments about national data breach notification legislation and showed interest in continuing the dialogue.

CISOs are unified about a national data breach notification law that will positively impact businesses, citizens and the government. We will continue to articulate our views about this important issue on Capitol Hill and at events such as our National Technology Security Coalition (NTSC) CISO Policy Conference on October 5, 2017 during Atlanta Cyber Week. This kind of sensible law is long overdue – and we need CISOs to help us make the case.

Want to learn more about Atlanta’s cybersecurity ecosystem? Join us October 2-6, 2017 for Atlanta Cyber Week. For more information on the events of Atlanta Cyber Week visit www.atlcyberweek.com.

Posted August 28, 2017 in: Event by Baker Donelson