Globally and in the U.S., most countries and states have enacted laws that require the notification of individuals affected by a data breach and the implementation of certain standards for protecting personal information.
records reported breached in the U.S. since 2005
The price of data protection implementation compared to a data breach costs
percent of data-loss incidents involve Social Security numbers
What do I need to know? If you sustain a data breach involving the personal information of consumers, you very likely will have to report the incident to the affected individuals and/or government authorities.
The United States: In 2003, the first-ever law regulating the privacy of personal information took effect in California. Since then, 46 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have passed data breach notification laws. Only South Dakota, Kentucky, Alabama and New Mexico have not. Despite attempts by various lawmakers, Congress has never approved comprehensive federal data security or notification legislation in the United States.
Typically, entities are required to alert consumers, whose personal information was compromised, in an expeditious manner and without unreasonable delay. And even if the breach affects a third-party company that is maintaining the compromised information, the burden is on the company that owns the data to notify affected individuals.
Meanwhile, a smaller number of states - including Massachusetts, California, Connecticut, Rhode Island, Oregon, Maryland, and Nevada - have ratified laws that require businesses to maintain specific data security standards, such as the use of encryption, to protect the personal information of residents.
Global: Across the world, many countries have approved laws governing data protection. Included among many of them are notification provisions, either mandatory or voluntary. Perhaps the strictest requirement exists in the form of a proposal in the European Union, which is made up of 28 member countries. The proposal, expected to take effect in 2016, would consolidate data protection into a single law across the EU and, among other provisions, require organizations to notify their local data protection authority within 24 hours after becoming aware of a breach.Data privacy and protection laws often differ in their wording, which sometimes complicates notification.
Generally, the laws define personal information as a person's name in combination with some other piece of sensitive data, such as their Social Security number, credit card number or driver's license number. In the U.S., several states have expanded the definition of personal information to include medical data.
Data breaches are expensive, so it's best to avoid them. According to studies, the cost per lost record is rising year over year, and notification costs make up a large percentage of that figure, often stretching into the hundreds of thousands of dollars. A less direct cost of breaches is that they result in customer distrust. The effects that a security incident can have on a company's reputation and brand image can be long-lasting and devastating, especially if the organization isn't open and honest about the breach with its client base. Customers can be won over, but typically are a less forgiving bunch if they believe a company was careless with protecting their information – i.e. they didn't use encryption.
Penalties vary from state to state in the U.S. and country to country throughout the world, with some laws not prescribing any sanctions. For those that do, the amounts often are based on either the number of people affected by the breach or on time delays in alerting victims. Penalties for violations typically range from a couple thousand dollars up to $750,000 per breach. For other data privacy laws, such as those that require companies to implement certain data protection standards, fines can reach as high as $50,000 per incident.
In the European Union, for example, the data protection proposal would include penalties of up to 2 percent of an organization’s yearly global turnover.
State attorneys generals increasingly have become active in data privacy enforcement, with a number of notable settlements that have occurred in the U.S. related to violations of state breach notification laws.
Trustwave products and services help you discover and protect the sensitive information you are collecting, transmitting and retaining so you can avoid a data breach in the first place. Our deep portfolio also enables you to reduce the time, cost and complexity of responding to the various state and international data privacy mandates.
Plan and Prepare
Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. Trustwave helps you find gaps that may exist between your current security posture and HIPAA requirements. The customizable assessments, scaled individually for covered entities and business associates, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.
Fill the Gaps
Data privacy regulations require companies to deploy technical controls to protect customer records and information, whether they are being collected, stored or transmitted. Here are some of the ways we can help:
Data Loss Prevention
Allows you to discover and classify sensitive data and prevent it from leaving the network.
Helps you gain visibility through detection, containment, prioritization and mitigation of events and threats.
Security Awareness Education
Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including the safe use of web and social media tools and password management.
Identifies and manages potential vulnerabilities in your networks, applications or databases.
Protects sensitive data being transmitted across web-enabled applications.
Automate and Manage Compliance
TrustKeeper Compliance Manager helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks, including HIPAA. Compliance Manager is delivered through our cloud-based management portal TrustKeeper, which provides a real-time view into the status of your compliance and security programs and offers access to all of your managed services. Through one easy-to-use dashboard, you can submit support requests, see event history, run reports and manage your account at any time.