Image may be NSFW.
Clik here to view.
After the Data Privacy Act was reintroduced in Congress in late January, a second data breach bill made news when the Data Security Act of 2014 was introduced at its heels. Let's take a look at what this proposed bill means for small IT companies and how the legal data security landscape could be changing.
That these bills are coming out shortly after the Target and Nieman Marcus data breaches is no coincidence. Both businesses and consumers have growing concerns about cyber security and want strong laws that clearly outline their responsibilities and the protection they have under the law. Now it’s up to the U.S. Congress to try to create a bill that will protect our data and appease all the interested parties.
6 Key Components of the Data Security Act of 2014
In its current incarnation, the Data Security Act can be broken down into six components. If the bill passed in its current versions, IT professionals would have to consider the following for data security compliance:
- Security procedures. All businesses are required to have "security procedures," which the bill defines as "reasonable policies and procedures to protect the confidentiality and security" of data. But the bill doesn’t say what those procedures are. It’s unclear at this point whether “reasonable policies and procedures” would be defined further (perhaps by the Federal Trade Commission or Consumer Financial Protection Bureau).
- Definition of data breach. The DSA defines a data breach as any unintentional disclosure of sensitive account or personal information. This includes financial information (bank account numbers, security codes, credit card numbers, etc.) as well as any combination of personal info (addresses, phone numbers, SSNs, etc.) that can be used to commit identity theft or cause material harm to consumers.
- Investigations. After a breach, the law requires small businesses to conduct an investigation to determine what data was stolen and whether it can be used to steal from consumers or cause them other harm.
- Reports. If a business suspects the breach could cause harm to consumers, it would have to report the breach to those customers, as well as any vendors or other businesses that might be affected. The bill permits contact via phone, email, or regular mail. (Wondering what your current legal requirements are for contacting customers after a data breach? Check out our article "Data Breach Response Guide.")
- Mandatory reports to consumer agencies for big data breaches. If a breach affects more than 5,000 users, the company would have to report it to consumer reporting agencies under current provisions of the Data Security Act.
- Timing for response and reports. The bill is vague about how much time a small business has to report a data breach. The good news is that it says businesses would be given leeway based on their size, the resources available, and the feasibility of their response. In other words, a small business wouldn’t be judged as harshly as a larger business with more resources at its disposal. You would also be able to delay reporting the breach if it would interfere with an ongoing investigation.
What Would the Data Security Act of 2014 Mean for Small IT Businesses?
The Data Security Act would standardize data security requirements, but in its current draft doesn’t offer many specific guidelines for IT professionals. In some ways, that's a good thing.
IT consultants know more about data security than congressmen, so it’s possible that Congress will consult with data security experts to firm up requirements, if the bill progresses through the legislative process.
One problem legislators would have to iron out is the reality that, in the real world, data breaches often go unnoticed. If that's the case, would the bill permit punishments for small-business owners who are unaware of a breach? It's unclear at this point.
New Bills Are a Reminder to Up Your E&O Coverage
As lawmakers and businesspeople get serious about data security, IT professionals need to read the writing on the wall. In recent years, data breaches have become more common and more expensive.
Combined with new bills and new scrutiny, the current cyber climate means small IT firms could be on the hook for an expensive Errors and Omissions lawsuit, whether or not any legislation gets on the books. When a client is hacked or mishandles their data security, they can sue your business.
Whether you're a developer who built the code that was hacked or the consultant who built the network, E&O Insurance can cover your data security liabilities.
These bills haven't been voted on yet. But regardless of whether they become law, now is a great time to review your data security, revise your security protocol, and protect your liabilities.
Clik here to view.