The USA Has More Breach Notification Laws than Baskin Robbins Has Ice Cream Flavors, Now What?
Written by: Carolyn Crandall, CMO & Chief Deception Officer – Since the original breach notification law was enacted in California in 2002, each of the 50 states and District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have all enacted breach notification laws that require organizations or government entities to notify individuals of a security breaches that involve personally identifiable information. U.S. organizations that have suffered a breach currently face a regulatory web that is near impossible to navigate and if a company’s products or services reach into the EU, they must also comply with GDPR for the relevant segment of their user base.
This complexity also means that organizations must choose between complete compliance with the most stringent standards or a more piecemeal reporting structure based on widely variable laws. This choice is often dictated by practicality. For example, if the majority of a company’s customers are located in California, a state with strict breach reporting laws, it may make the decision to adopt those rigorous practices much easier.
There have been previous attempts to create a national breach notification and security standard with the proposed federal breach notification law that was introduced by Rep. Blaine Lukemeyer (R-Mo.) and Rep. Carolyn Maloney (D-N.Y.) The proposed law, known as the Data Acquisition and Technology Accountability and Security Act (the “Draft Bill”) was, however, met with significant controversy and 31 states signing a letter urging Congress to scrap it.
Now, in a new effort to increase protection of consumer financial data, the U.S. Treasury Department is recommending a federal data security and breach notification standard similar to the EU’s General Data Protection Regulation (GDPR) breach notification mandates.
The implementation of a national standard enjoys widespread support from digital security experts. A recent Washington Post report indicated that 54 percent of cybersecurity pros favor a GDPR-like federal-level breach notification standard because it would replace the current patchwork of state laws governing this issue.
In the interim to having a federal standard, let’s take a closer look at which states are setting the pace in establishing aggressive breach disclosure standards and protecting consumer data privacy.
The most aggressive and proactive state when it comes to establishing privacy and consumer protections is California. The California Consumer Privacy Act (AB 375) will take effect in 2020 and establish the country’s toughest privacy requirements, including prohibiting the collection and sale of personal data upon request from consumers.
As we recently discussed, California has also passed a bill (SB 327) that will regulate cybersecurity standards for connected devices and establish the toughest Internet of Things standards in the U.S. Also set to take effect in 2020, it will require a level of “reasonable security” on any IoT devices, defined as anything capable of connecting to the internet with a Bluetooth connection or internet protocol. Devices will be required to come preloaded with unique passwords or force users to create new passwords before first-time access. This feature prevents unauthorized access, modification, or information disclosure, as there would be no generic default credentials for hackers to guess. California is the first state with such a law. Many people view this law as not nearly enough, though most will agree that it is clearly a step in the right direction.
One of the strictest state-based privacy and data breach laws in the country took effect on September 1. The Colorado Protections for Consumer Data Privacy law, or HB 18-1128, applies to all in-state businesses that handle the PII of Colorado residents. The impact of the legislation is broad, as PII can include a social security number, password, driver’s license, student ID, and a wide range of other forms of identifying information.
This law creates a broad definition of sensitive data. It expands existing requirements for data breach notifications and calls for strong protection for sensitive data; however, unlike the California Consumer Privacy Act, it creates no exemption for small businesses. Colorado’s requirements apply to every organization that “maintains, owns, or licenses” PII of Colorado residents. Businesses must also require third parties that they share data with (such as cloud service providers and other vendors) to implement the same measures. The notification window is 30 days with no extensions—the toughest notification provision in the country. This law, as well intended as it is, will definitely put small businesses with immature security controls in a precarious situation. Many small organizations will need to immediately add detection capabilities and a mechanism to track and report on incidents. This seems like a great opportunity for managed service providers to help. The 3rdparty requirement for upholding the same measures will also challenge organizations of all sizes, forcing them to reassess contracts and apply minimum expectations regarding detection security controls being used and breach notification.
Long considered the benchmark for state data security protection, Massachusetts’ Data Breach Notification Law requires organizations to maintain a written information security program, conduct risk assessments, and ensure third-party service providers are safeguarding PII, and encrypting personal information on portable data storage devices.
Massachusetts recently led a 50-state coalition in a lawsuit against Uber after it failed to promptly disclose a 2016 data breach that compromised personal information of 57 million users and the driver’s licenses of 600,000 drivers. The AG’s office has also simplified the breach reporting process through a new Data Breach Reporting Online Portal, which it encourages Massachusetts businesses and organizations to use to provide notice of data breaches in compliance with the law.
I applaud Massachusetts for its efforts in making breach disclosure more defined and simpler to report. Many organizations struggle with definitions and expectations and having more defined processes will help with consistency and one’s ability to prepare for and execute on disclosure if breached. I think this will also get organization thinking more about their recording and reporting of incidents. It will no longer be enough to simply detect an incident. Organizations must also be able to accurately know how wide-spread the attack was, how deep an attacker’s accesses were, and how to set the right controls in place to prevent an adversary’s return. Mandiant research states that adversaries return over 50% of the time.
Delaware requires the government to dispose of customer data after a set period of time, protect the privacy of e-reader and library data, and protect employee privacy. The state recently passed a new privacy law addressing advertising to children, inconspicuous privacy policies, and enhancing privacy protections for ebook readers.
Thumbs up on all of these laws, noting that disposal of customer data is trickier than one thinks and for both this and GDPR organizations will need to invest some effort in understanding their data, finding duplicates, and ongoing compliance validation.
Utah is just one of just two states that bars internet service providers from sharing customer data with third parties without consent. The state requires all non-financial businesses to tell customers the types of personal information the business shares with or sells to a third party for the purpose of direct marketing or compensation. Utah also requires companies to dispose of customer data after a set period of time and prohibits employers from asking employees and applicants from divulging passwords or usernames for social media accounts.
Who doesn’t applaud limiting the unauthorized sharing of information? When I can, I mark the field in some way to see how much my information gets shared amongst vendors. Sadly, it is a lot. I recently attended an event in Singapore where only the hotel and event had data on me being there. I am now receiving a ridiculous amount of unsolicited email centered on Singapore. Truly disappointing.
Although these new standards are a step in the right direction, many of them are still not as comprehensive as needed and it will take time for organizations to fully comply with these measures. Regardless of the laws, enterprises are changing their approach to risk security models and are implementing better security strategies and tools to mitigate risk across their organizations. We have seen a distinct shift in how our customers are approaching security. They are recognizing that in order to actively detect, isolate, and defend against advanced cyber-attacks, they must implement both perimeter security controls and in-network detection solutions. As a result, deception technology is being rapidly adopted for not only early detection, but also for a comprehensive Active Defense approach. Active Defense strategies complement offense-driven actions so that organizations can proactively detect and derail attacks early, while gathering the threat intelligence required to understand the attack and strengthen perimeter security. Additionally, this threat intelligence can be shared with peer organizations to further reduce the successes that an attacker could achieve by targeting an industry based upon focused, but common techniques.
How Does Deception Work?
Unlike other security tools, deception technology works by detecting threats that have bypassed traditional security controls. Attractive traps and lures are proactively deployed within the network to entice attackers into engaging. This reduces dwell time with early and accurate detection of threats from all attack vectors and prevents bad actors from remaining undetected for extended periods of time. Organizations across all industries, including those with difficult-to-secure environments like ICS, IoT, and cloud shared security environments, are increasingly relying on deception technology solutions to close security gaps and improve threatscape visibility. Deception is also being used for visibility into insider and 3rdparty policy violations, in addition to detection of nefarious activities.
Regardless of the threat actor type or methods, deception alerts are all driven by attacker engagement, making each alert actionable and substantiated with the information required to quickly and confidently respond. Additionally, the ability to collect adversary intelligence is instrumental for threat hunting, making sure that the extent of the attack is understood and that the attacker has been eradicated from the entire network. Deception can also play an interesting role in return adversary mitigation by resetting the attack surface and by laying out traps for a returning adversary.
Whether for current compliance, keeping up with new laws as they evolve, or as part of a comprehensive Active Defense strategy, deception technology will play an increasingly growing role in validating that risk profiles are being met, ongoing assessment of whether existing security controls are working, and in the tracking and reporting of incidents.
For a comprehensive state-by-state look at security breach notification laws across the U.S., visit the National Conference of State Legislatures website here.