These days you can’t go a week without hearing about governments, companies, and other organizations dealing with major data breaches. It’s so commonplace that sometimes people don’t stop to consider the effect all these data loss events can have. As it pertains to the individual, there is always the chance, if a company gets breached, or loses data from a disaster or a hack, that your anonymity is a casualty. After the media attention fades, there are millions of people that are left exposed and companies, some huge multinational conglomerates, that don’t face any repercussions.
Some time ago, the U.S. Government determined that these general data breach events were an issue for individual state governments. State lawmakers are the only ones that currently have the jurisdiction to create and enforce data security laws in the United States. After an organization is breached, they are typically mandated to provide knowledge of the breach to that state’s Attorney General, who ultimately determines whether or not the state will sink resources into investigating and prosecuting the breached organization.
With data largely running the U.S. economy, however, there have only been two federally-mandated digital security laws passed in the last 20 years: The Healthcare Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), which covers the healthcare industry and the financial services industry, respectively. Since data-theft-based crimes are still roundly federally unprosecuted, it has left a large amount of the business sector left to be protected by the various states’ attorney’s offices. In fact, the first complete trial for data theft was in 2015.
Other parts of the world have more overreaching data security mandates. In fact, the only financial entity that has a greater financial stake in world business affairs than the U.S., the European Union, has recently approved a comprehensive cybersecurity law called the General Data Protection Regulation (GDPR). The GDPR gives regulators authority to stop the transmission of data, or levy fines against businesses that lose individual’s information. The fines are substantial, too, ranging as large as $20 million or 4% of the organization’s revenue, whichever is larger.
Since the civil responsibility of prosecuting data security laws lies with individual states in the U.S., there has been a wide disparity of how these situations are handled. It is up to the state to come up with the penalties for offending companies, so different states have different penalties. Some states prosecute by violation, some by series of breaches, and some, strangely, by resident. Moreover, even if a company is prosecuted for the data that has been taken, there are only four current states (Arkansas, Illinois, Nevada, and Pennsylvania) and the District of Columbia that have given their courts the ability to collect reasonable restitution. Stranger even, some states bar individuals and organizations from taking action against entities that compromise their data, as only class action lawsuits are heard in these states.
There are times when state courts can come down heavily on an organization, as some have had to limit or stop operations completely, pending an investigation. The cost and lost revenue from having to halt operations, coupled with the damage done to the organization’s reputation, can cripple a business’ chance of ever resuming normal operations, even before the verdict, and resulting restitution, has been ruled upon.
The lack of cybersecurity laws on the books is being remedied in several states. Many state legislatures have, at the very least, proposed bills to give courts the ability to hear cybersecurity-related cases. Additionally, many states have already enacted mandates that make clear the amount given to a breached organization before they have to notify the State’s Attorney, as well as setting a baseline for the number of records that have been exposed before notification is required.
Cybercrime and data loss are major issues today, and the more they become prevalent, the sooner we expect the federal government to create additional mandates to protect citizens’ personal information.
How do you think data breaches should be handled? Do you think the U.S Government has to be more active on this issue? One thing is for certain, cybercrime is not going away. To protect your business from data loss and reputational harm, contact the IT security professionals at Sagacent today.