In the last decade, 47 state legislatures have considered the impact of data breaches on their constituents and developed comprehensive standards for how organizations should communicate with their customers in the event of lost personal information, whether it is due to a cyber attack, employee error, or a gust of wind blowing important papers away. However, as costs following data breaches rise, in part due to the extensive state-by-state framework for notification, support has grown for a single federal standard for breached organizations to follow.
As cyberliability insurance has evolved to provide for many of the costs of complying with these state laws following a breach and more states have enacted laws, the overall claim costs have risen. The Ponemon Institute’s 2014 Cost of Data Breach Study pegged the cost per lost record at $201. And those costs have translated to higher cyber insurance premiums.
Only Alabama, New Mexico, and South Dakota have not enacted a data breach notification law. Kentucky became the 47th state in June 2014; California had the earliest in 2003 and currently has one of the strictest laws on the books. Florida and Massachusetts also have notably rigorous notification laws, but most states vary in the reporting times, type of notification required, definitions of sensitive information, triggers, and perhaps most significantly – penalties.
The 47 state laws have, by most measures, improved awareness and transparency for consumers on how businesses collect and keep their personal information, the risks posed by cybercriminals to that information, and the necessity to safeguard one’s financial and medical identity. Advisen data show that as the enactment of state laws increased over the years, so did reporting of breaches. Laws increased in effectiveness as they aged, data showed.
President Barack Obama began 2015 by releasing a legislative package including a proposal for a federal data breach law requiring any business or organization that serves more than 10,000 customers in a given year to notify those customers in the event of a breach, within 30 days. It would be a uniform standard, but would not go as far as many state statutes.
“It’s an easier compliance than what most states require,” said Mark Mao, attorney with Kaufman Dolowich and Voluck. It offers a “very reasonable” way to bring breach mitigation costs down and, in turn, potentially cyber insurance costs. Advisen data show that as breach laws have been enacted, the purchases of cyber insurance have also increased.
Pres. Obama’s proposal is not the only one before Congress. The U.S. House Energy Committee’s Subcommittee on Commerce, Manufacturing, and Trade this week marked up a bill called the Data Security and Breach Notification Act of 2015, while acknowledging that Congress has delayed action over and over on this issue.
“Through 10 years of mass data breaches, Congress has fiddled while Rome burns,” said authors of the bill Rep. Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT) in an editorial. “The pattern of costly data breaches speaks for itself. Congress must do what it can now to help consumers, help the economy, and stop funding these cybercriminals who use the money they make to perpetrate even worse crimes. Nothing frustrates our constituents more than when Congress is presented with a very real problem, and very plausible solutions, but does nothing due to partisan dysfunction.”
Upon approval of the bill this week, Subcommittee Chairman Rep. Michael C. Burgess highlighted ways in which the federal bill would go beyond the protections afforded in many state data breach notification laws, including covering loss of biometric data such as fingerprints and retinal scans, and account information without an associated name.
“Finding a workable bipartisan compromise that can become law has been elusive. But I believe that by focusing on how the criminals make their money we can work together to broker a solution for the millions of Americans impacted by identity theft and financial fraud,” said Burgess. “Perfect cannot be the enemy of the good. And we must ensure that there are meaningful consumer protections in this draft.”
Regulate, Not Penalize
At a recent cybersecurity summit held by the New York Insurance Association (NYIA), speakers showed support for more uniformity, expressing concern state laws are difficult to comply fully and seem to focus more on penalties than protection.
Heather Briccetti, president and CEO for the Business Council of New York State, commented during a panel discussion that the government “should be more government protecting them, rather than punishing them.”
“This should be viewed less as a regulatory exercise, other than having standards, but to know that there are folks at the government is here to help, rather than fines,” she said. “There’s always a concern that the government will have an activist role, and focus its attention on the victims rather than the hackers.”
“We need to fix the problem, not place the blame,” agreed Deborah Snyder, deputy chief information security officer at the New York State Office of Information Technology Services.
Gregory Vernaci, head of cyber for U.S. and Canada at American International Group, commented that it would be “hard to argue” against the fact that state notification laws have improved the data breach landscape for consumers in creating transparency and awareness. However, he noted, the federal government has a role to play in protecting the nation’s critical infrastructure. That is an area where data is limited for the insurance industry, he explained.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
