Would a federal data breach law really be too costly for the private sector?

Are you curious about the cost of a data breach notification law? Here’s the analysis of S. 1151, the Personal Data Privacy and Security Act of 2011, proposed by Senator Leahy.  It appears that the biggest added cost to the private sector would be on improving security and not from breach notification since 46 states already require them to notify consumers of breaches.

The cost per entity of the data privacy and security requirements would depend on the rules to be established by the FTC, the size of the entity, and its current ability to secure, record, and monitor access to data, as well as on the amount of sensitive, personally identifiable information maintained by the entity. The majority of states already have laws requiring business entities to utilize data security programs, and it is the current practice of many businesses to use security measures to protect sensitive data. However, some of the new standards for data security in the bill could impose additional costs on a large number of private-sector entities.

For example, under the bill, businesses covered under subtitle A would be required to enhance their security standards to include the ability to trace access and transmission of all records containing sensitive personally identifiable information. The current industry standard on data security has not reached that level. According to industry experts, information on a particular individual can be collected from several places and, for large companies, can be accessed by thousands of people from several different locations. The ability to trace each transaction involving data containing personally identifiable information would require a significant enhancement of data management hardware and software for the majority of businesses. Further, the bill’s definition of sensitive personally identifiable information is broader than the current industry standard.

This definition would significantly increase the number of entities that would be required to implement new or enhanced data security standards. The aggregate cost of implementing such changes could be substantial.

Okay, but if they invest in what would be mandated security and save on breach-related costs, that doesn’t sound like a bad deal to me.  Aren’t we constantly reminded how high breach clean-up costs are? And the trade-off here also seems to involve prohibiting a private cause of action for violation of contractual agreements – and isn’t that something that Facebook, Zynga, and others are fighting for?

I’m not saying that I particularly like or want this bill to be enacted.  I’m just saying that from a cost standpoint, it doesn’t appear to be excessive when one considers what would be gained or off-set.

What do you think?

About the author: Dissent

Has one comment to “Would a federal data breach law really be too costly for the private sector?”

You can leave a reply or Trackback this post.
  1. garykva - October 28, 2011

    As with any business, profit is the bottom line. There may be risks, and bumps in the road, but they are handled when they arrive. Security as a proactive stance does not seem to be a posture if it was not there in the begining. Companies may opt to purchase an insurance policy and pay a flat fee per month and kick their heels up and pass the expense of a spill, hack or otherwise off to the insurance agency. If they are hacked, many businesses know there are entities that will come in and assist, be it from law enforcement, or again, an associated cost that was mitigated through insurance.

    The problem with technology is the ease of which it is utilized. Security has, and still is in the corporate world, a 2nd or 3rd place finish at best. For businesses that are in mid stride, functioning properly with little to minimal risk, tracking data down to the Nth degree is trying to remember a forced 30 character password – people aren’t going to do it properly, and report that they are. The people who want absurd measures – need to sit on the boards and be forced to listen to the feedback coming inbound.

    Tracing access and transmission data ? Really? does this include updating a persons’ good or bad status of a CC transaction, the manually typing in of a CC number should thew swipe/stripe fail? Sending new CC through the mail? How about the Social Security Administration or IRS sending via postal mail, records with PII ? Communication comes in a thousand different ways

    Its MUCHO easier to implement rings of defense with each layer more critical towards the center. VPN communications, with firewall ACL (rules) that allow communication with trusted entities only.
    Allowing personnel to surf where ever they wish, access corporate records whenever they wish all can be controlled with current technology.

    The only way I see any control over all this is to have 3-4 clearing house entities up, much like the credit bureaus who handle PII. The company submits the users name, address and less sensitive data and electronically sends updates/requests information from the entity. That secures PII.

    Credit cards need RSA style tokens and a pin to put a dent in fraud. Until companies start losing a serious amount of cash, or are told they will be penalized a hefty monetary fine for the following breaches, they won’t take security seriously. Hit them where it counts, in the bottom line – profits. THEN the security posture – and hiring processes will get knocked back on track.

Comments are closed.