Single standard needed for reporting data breaches
- By William Jackson
- May 04, 2009
Two-thirds of fraud professionals surveyed for a recent conference said they want to be notified the same day a data breach is discovered if it could affect their customers.
The finding is not surprising and highlights the need for a national standard for data breach notifications.
With more personally identifiable information being maintained online or in systems subject to loss or exposure — and a growing underground economy based on the theft, sale and exploitation of this information — data security has become a major concern of both government and private enterprises. But standards for the notification of possible victims have not progressed past a patchwork of state and local laws.
The survey was done for the RSA Conference eFraud Network Forum, a one-day event focused on identity fraud. More than 100 professionals, about 60 of them working in the financial services industry, were questioned in March.
A little more than half of those questioned thought that recent economic troubles have resulted in an increase in attacks on data. As the legitimate global economy has weakened, security companies have reported an increasingly robust underground economy dealing in stolen information and credentials that can be used for identity theft and fraud.
Laws dealing with such problems have not kept up with the threat. Law enforcement is getting better as the legal tools for prosecution improve and agencies are becoming better trained. International cooperation also is slowly improving.
But there are no national standards for protecting data. Instead, there are differing standards enacted in the laws of 44 states as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands.
The federal government has taken the lead in this area, as the Office of Management and Budget has set rules for how agencies are to handle personally identifiable data and breaches of that data. The simplest and possibly most effective of these guidelines: Don’t keep any more data than necessary, and get away from using Social Security numbers as universal identifiers. Agencies also are required to report data breaches soon after they occur.
However, those requirements apply only to agencies, and breach notification still is internal. There is no standard for the circumstances under which victims are to be notified or how quickly notification should be made.
It appeared several years ago that such a standard would pass, but national security issues, a financial crisis and a presidential election got in the way. Now would be as good a time as any to establish a single set of rules for securing data and establishing what to do when that security is breached. Those dealing with financial fraud want it, consumers would welcome it, and organizations holding the information should also be glad to have a single set of rules to adhere to rather than a nationwide patchwork.
William Jackson is freelance writer and the author of the CyberEye blog.