A BankInfoSecurity article reports that Senator Jay D. Rockefeller (D – WV) submitted another data breach law in the Senate: the Data Security and Breach Notification Act of 2014. Add it to the list of potential new data breach laws. If you're keeping score at home, that's three bills in the Senate and one presidential order. If Congress keeps up this pace, there will be a bill for every data breach.
The bills have come from both parties in the Senate, and while no bill has been passed into law, there appears to be a surprising amount of consensus that we need a law of some sort, making it likely that some version of a data breach bill will pass in the next year or two.
Something Old, Something New: Bill Proposes Similar Fixes and a Few New Ones
On this blog, we've scrutinized the previous data breach bills (for more details on potential national and international regulations, see "Why IT Contractors Shouldn't Hold Their Breath for Universal Data Breach Legislation"). The Data Security and Breach Notification Act of 2014 is similar to the other bills because it also…
- Mandates that businesses inform their customers after a breach.
- Standardizes the definition of a data breach.
- Replaces various state laws with one clear federal law.
- Strengthens penalties for companies that conceal data breaches.
But the bill also offers some new facets to cyber security, including these requirements:
- IT contractors, vendors, and other third-party network admins are required to inform their clients if there has been a data breach (the client will then inform its customers).
- Customers have to be notified within 30 days.
- Companies are required to offer two years of credit monitoring for customers affected by the breach.
- Companies are required to have a data security plan and officer.
- Large data breaches will have to be reported to the Department of Homeland Security (see next section for more details).
For an IT consultant, the bill is a mix of good news and bad news. The bill explicitly states that IT professionals will be liable for overseeing their clients' security and informing them of a breach. It also shortens your window to notify customers (many states require notice in 45 days).
On the other hand, the bill clarifies your responsibilities. Currently, 46 states have their own data breach laws, so an e-commerce business or an IT contractor with clients and customers in multiple states might have to follow multiple laws, which can be a headache. If one of these bills passes, it would simplify your responsibilities.
New Data Breach Bill Would Add Data Breach Law Enforcement
If a data breach involves more than 10,000 individuals or involves a contractor who works with the government, companies would have to inform a new branch of Homeland Security, which would, in turn, inform other relevant branches of law enforcement.
It's clear that Rockefeller's new bill, the Data Security and Breach Notification Act of 2014, would make more efforts to involve law enforcement and the Federal Trade Commission. Much of the bill is about starting new departments in these government agencies to coordinate data security, outline best practices, and fine companies that violate the law.
To read the full content of the law, see details at senate.gov.
What IT Professionals Can Expect from New Data Breach Laws
It's important to remember that none of these bills has been passed into law. They haven't even been voted on. But with the growing momentum, there's a good chance some version of these bills will become law.
If one is passed, there is usually a grace period of 12 months during which IT professionals will be required to learn the new law and implement it. In other words, IT companies have some time before they need to be in compliance. The bills will be debated in the Senate, revised, voted on, and then moved to the House. Even if a bill moved through the legislation process quickly, IT contractors would probably have two years before it affected their work.
With so many laws being proposed in the Senate, one thing is clear: IT companies will be held to higher data security standards in the near future. To cover your professional liabilities and protect your business from a data breach lawsuit, make sure you invest in Professional Liability Insurance (aka Technology Errors and Omissions Insurance).
To learn more about Errors and Omissions costs, check out our free sample insurance quotes for IT businesses.