By Francesca Spidalieri, Fellow for Cyber Leadership
NEWPORT, RI – Rhode Island’s private and public sectors leaders gathered at the Pell Center on September 23, 2014 to participate in a two-hour roundtable discussion on the Rhode Island’s Data Security and Breach Notification Law. The invitation-only event brought together key players in the state to review current gaps in the RI notification of breach law, to compare the RI law with those of other states, and to propose methods to strengthen the existing law.
The discussion focused on a timely and important issue: the impact of large data breaches on consumers and the lack of clearly defined courses of action for businesses to take in the event of a breach. These shortfalls are often compounded by a mish-mash of existing federal and state data breach notification laws and regulations prescribing specific notification requirements and processes. Such laws have significant impacts on consumers, businesses, and the state government, including law enforcement and business regulations.
Symantec dubbed 2013 “the Year of the Mega Breach” after a 62 percent increase in data breaches compared with 2012. They also reported in their annual report that breaches in 2013 resulted in the exposure of more than 552 million personal information records. The breach of Target Corp. accentuated the problem, when the retail giant acknowledged that hackers accessed up to 70 million customer records during the busy Thanksgiving shopping season. Target’s response and notification drew heavy criticism based on the method of notification as well as its timeliness. Like may other retailers, major banks, and countless other companies, Target chose to keep evidence of a cyber-crime private until security experts brought the issue to light. Unfortunately, the reticence to disclose data breaches is widespread and deeply rooted within corporate America. Days, weeks or even longer periods can pass between the moment a company learns of a cyber-crime and when its customers do. That gap can amount to crucial lost time for people and other organizations that would need to take immediate measures to protect themselves by monitoring transactions, changing passwords, or alerting other relevant parties such as a credit card company.
A wave of state laws passed over the past dozen years requiring companies to notify customers in a timely manner about data breaches that affect them. Forty-seven states and the District of Columbia have laws governing such disclosures (as of August 1, 2014, only Alabama, New Mexico, and South Dakota have no laws related to security breach notification). Rhode Island has had its breach notification law on the books since 2005. RI’s current “Notification of breach law,” however, is both outdated and lacks clear information/direction for a business to follow in the event of a data breach. The participants to the Pell Center workshop noted that this law requires disclosure “in the most expedient time possible and without unreasonable delay,” but does not prescribe an actual timeframe and allows for delays to accommodate “the legitimate needs of law enforcement” during an ongoing investigation. Moreover, it requires the notification of a breach “if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person,” but does not provide additional measures to prevent future breaches or to effectively mitigate the risks associated with data breaches. Finally, there is no mention of the role that state agencies or law enforcement should play in the case of a data breach or of whom within those departments should be notified.
The distinguished group of policy makers, state representatives, business leaders, and law enforcement officials present at the workshop agreed that an update to the current RI notification of breach law is both necessary and urgent in order to raise the cost of data breaches, to better protect customers’ personal information, and to provide companies with incentive to implement better security practices. A list of their recommendations to strengthen the existing law will be published in an upcoming policy memo.