Worried about reputation risks and the fines their companies could be hit with if they fail to properly notify regulators of a data breach, risk managers are pushing a Congressional bill that would streamline the current 47-state notification system under a single federal regulator.
The bill, called The Data Security and Breach Notification Act of 2015, would pre-empt all state notification laws, set up a time frame for notification, establish the content that notification would require, and identify who must be notified.
The legislation, which was introduced in the U.S. House and Senate in January and cleared the House Commerce Committee in April, would direct the Department of Homeland Security “to designate a federal entity that covered entities would be required to notify,” according to a summary of the Senate bill.
The law, if enacted, would cover breaches that involved the personal information of more than 10,000 people; a database containing the personal information of more than 1 million people; federal government databases; or the personal information of federal employees or contractors known to work in national security or law enforcement.
“Risk managers who have had to notify of [a] breach have indicated that the bureaucratic administrative burden of interpreting and satisfying differing notice requirements is really problematic. And this is going on during a time when there are a lot of other issues to contend with in an organization” that’s been hit with a breach, says Janice Ochenkowski chair of the external affairs committee of the Risk and Insurance Management Society, which is advocating for the bill.
Currently, the cyber notification standards differ in each state concerning when, what, and to whom a breached company must report, as well as the time frame within which reporting must be done, according to Ochenkowski, the international director of global risk management for real estate firm Jones Lang LaSalle. (Ochenkowski said she was speaking on behalf of RIMS only, preferring not to speak for her company.)
Data-breach information tends to be very hard to sort, the risk manager says. “With any crisis, you might initially know there’s a problem, but you don’t always have the facts at hand,” she adds. “It takes a while to determine those facts, and sometimes it may take you longer to figure it out than you have [to provide] notice.”
If affected companies fail to notify state regulators within the mandated time frame and follow the appropriate criteria, they’re commonly fined. But the more important concern for an organization is reputation risk, according to Ochenkowski.
“It’s bad enough that you’re in the midst of a crisis situation but then to have the additional difficulty of [it being known] that you didn’t comply properly or that you didn’t provide notice to all potentially injured parties,” she says, “adds a layer of complexity to an already difficult situation.”
Responding to a RIMS survey slated to be released Wednesday, 79% percent of 284 RIMS members, largely corporate risk managers, rated reputation risk as their organization’s top first-party cyber exposure. (First-party risks affect the company itself or its own property, while third-party risks involve the person or property of another person or entity.)
Seventy-three percent of the survey respondents reported that notification represents a significant cost of their companies’ first-party cyber, and the same percentage indicated that cost of notification is a significant factor for third-party exposures, according to Ochenkowski.
Such costs represent internal compliance expenses and are exclusive of fines, she said. Although they vary for different organizations, the costs involve payment for outside technical assistance “in analyzing what the breach actually was,” as well as for “outside legal assistance in understanding the legal definitions within the word ‘breach,’ and so on,” she adds.