During his State of the Union address earlier this month, President Barack Obama called for legislation to guard against cyber attacks, identity theft and to "protect our children's information." Earlier in January, his administration proposed a national breach notification law that requires companies to notify consumers within 30 days of discovering that their personal information was hacked. This legislation in various forms has floated around Congress for years, but the recent outbreak of high profile security breaches at companies like Sony and Target could be the impetus needed for the bill to finally pass.
Every state's laws are unique and so any business operating across state lines has to navigate through a tangled and confusing web of regulations. In the age of ecommerce, this is a challenge faced by millions of businesses. This federal law is an effort to create a minimum standard and more cohesive policies that make it easier for businesses to adhere to breach notification laws across states.
The 30 days is sufficient time to identify the impact of a breach, but how to best notify the consumer when a breach occurs will still take time to iron out.
Actually getting the bill through Congress remains a challenge. Republicans in Congress have long pushed back against measures like this one because they call for additional regulations and requirements for businesses. The most likely scenario is that the law will be a very basic federal mandate which sets a floor that states can't go under, but which allows states to set the ceiling on how the laws can be applied.
What would really muddy the waters? If the federal legislation mandates that the business follows the data breach laws of the state where the consumer lives or was at the time of purchase, as opposed to the location of the company's legal entity. The former case would do little to make the breach notification process less of a burden, which is the whole point. Businesses would still have to consider several sets of rules instead of one.
The 30 day deadline is a good start, the reality of commerce today is that things happen much faster. Technically speaking, a consumer's data could start being used as soon as 7 days after a breach occurs. There is a gaping window between 7 days and 5 months in which a tremendous amount of damage can be done, to retailers and consumers. This is why it is so important that retailers go to great lengths to protect their customer data with a number of security protocols, lines of redundancy, and data analytics.
I would also venture a guess that consumers who exclusively purchase online are more inclined to check their bank account more often via a website or mobile app. They are more aware of their balances and more likely to get banking notifications via email, text, or pushes that would alert them to fraudulent activity immediately and give them time to react. Months could become minutes. For these reasons, breach notification laws will actually have a greater impact on consumers who purchase most of their goods in-store, not online.
Beyond complying with the regulations, businesses will also have to figure out the best approach for delivering breach notifications. Too many notifications could desensitize consumers to the problem or cause unnecessary panic. The good news is that in today's interconnected, digital world, companies have a range of channels to communicate with their customers. With email, mobile apps, and text messages at their disposal, sharing information is not a technological problem, it is cultural one. Businesses have been reluctant to share information about a breach in the past because of how it could hurt their image and share price. However, the scope of the recent attacks and the increasing sophistication of online security technology are putting heavy pressure on bricks-and-mortar retailers to step up their game.
Regardless of what happens with the bill, I predict that every company that handles customer data will begin to make security and transparency a priority out of competitive necessity. The key thing to remember is that 30 days is the "floor." It is a good baseline, but not substantial enough to protect customers who are exclusively buying online, where threats and breaches can be identified at a much faster pace. The best way to navigate around uncertainty and varying regulations is to surpass the federal floor, as well as the states' ceilings, in terms of security and notification policies.