By Patrick Gaul, Executive Director, National Technology Security Coalition
According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the global cost of a data breach went down by ten percent over the last year. The reason? Global companies are improving information security best practices like incident response, encryption and employee training to help proactively prevent and mitigate risks that lead to data breaches.
So, if U.S. companies and organizations constantly improve information security best practices along with the rest of the world, they should experience the same overall decrease in costs. Right?
Wrong.
In the United States, data breach costs increased by five percent over the last year. Currently, the average cost of a data breach in the United States is $7.35 million – with the Middle East representing the second highest country/region at $4.94 million.
What’s the problem? While many data breach costs fluctuate across countries, regions, industries, type of incident and size of the breach, none of these factors alone explain the high increase in costs for U.S. companies – except data breach notification.
The Unusually High Costs of Data Breach Notification in the United States
The United States easily tops the list of the highest data breach notification costs in the world. Why?
When a data breach occurs, a U.S. organization must follow notification requirements for each state, territory and industry. Often, these laws are redundant but sometimes they conflict for illogical reasons. For example, 47 states require disclosing the cause of a breach, but Massachusetts explicitly says it’s against the law to say what caused the breach. Both contradictory laws must be followed by U.S. organizations.
Data breach notification is an expensive process, and the Ponemon study explains what these costs entail:
The more complicated the notification requirements, the higher the cost. So how did we get into this mess? And how do we get out of it?
Why We Need National Data Breach Notification Legislation
Many lawmakers know we need this legislation, but there are a lot of moving parts and pieces that make it difficult to craft. A Data Security and Breach Notification Act of 2015 was introduced in the Senate Commerce, Science and Transportation Committee but didn’t go any further. When businesses and privacy groups seemed too spooked, the efforts to create a law stalled.
To alleviate worries about lowering cybersecurity standards, some lawmakers have said they are in favor of taking the strictest state law and making that the national law. But the reverse argument also makes creating a law difficult. Certain states enjoy lower data breach notification standards and don’t want to make the process harder on companies that only operate within their state.
During the NTSC’s most recent DC Fly-In, lawmakers told us that additional challenges include:
These challenges show that any arguments for a national data breach notification law must acknowledge not only the problem of high costs to businesses but also acknowledge priority, perception, preemption and public concern.
The following reasons make the case.
Uniformity through one law
A national data breach notification law would eliminate a multitude of different laws by creating one law and set of standards. By agreeing upon one set of standards, the law will be clear and non-contradictory. Challenges to uniformity include agreement upon:
Predictability
Having one law and place to report a data breach makes compliance easier and more predictable for CISOs. Answering the following questions will lessen confusion and streamline the process for U.S. organizations:
Non-Partisan, CISO-Driven NTSC Helping Articulate a Law
As a non-profit, non-partisan organization that serves as the preeminent advocacy voice for CISOs, the National Technology Security Coalition (NTSC) is uniquely poised to address national data breach notification legislation in a fresh, relevant way. Until the NTSC formed last year, the voice of the CISO was not well represented in Washington – and yet CISOs are often the ones most responsible for protecting American businesses and consumer information. They know firsthand the time, cost and frustration of too many data breach notification laws that seem more designed to please regulators rather than protect information in the best, most efficient way.
We’re overdue for a sensible national data breach notification law that removes unnecessary regulations, streamlines the notification process and lowers costs. Our active discussions on the Hill have included our May 2017 DC Fly-In where CISOs engaged in dialogue with House Representatives and Senators. Congressional representatives welcomed our arguments about national data breach notification legislation and showed interest in continuing the dialogue.
CISOs are unified about a national data breach notification law that will positively impact businesses, citizens and the government. We will continue to articulate our views about this important issue on Capitol Hill and at events such as our National Technology Security Coalition (NTSC) CISO Policy Conference on October 5, 2017 during Atlanta Cyber Week. This kind of sensible law is long overdue – and we need CISOs to help us make the case.
Want to learn more about Atlanta’s cybersecurity ecosystem? Join us October 2-6, 2017 for Atlanta Cyber Week. For more information on the events of Atlanta Cyber Week visit www.atlcyberweek.com.