President Obama’s proposed Personal Data Notification and Protection Act – a long-overdue federal law to standardize companies’ responses to data breaches – has been welcomed by many information security professionals, especially in the wake of 2014’s many high-profile information security incidents – the number of which is estimated to be up 27.5% on 2013.
According to data from Forrester Research Group, the US lags behind many other countries on this issue, and is on a par with Russia, India and Brazil when it comes to the protection of consumer data.
Companies across America currently have to contend with a patchwork of 47 state data protection notification laws, each of which differs in its obligations. California, for example, offers the most stringent protection for consumers, and allows its residents to institute civil actions in an attempt to recover damages. Alabama, New Mexico, and South Dakota have no legislation.
Few details of the Personal Data Notification and Protection Act are available yet – we’ll have to wait for the President’s State of the Union speech next week for that – and many questions remain, but for now it’s worth weighing up the pros and cons of the proposed legislation and consider its likely passage through Congress.
The Personal Data Notification and Protection Act will:
- Provide a single, national standard, which ought to make things easier for US organizations and better for US citizens.
- Simplify the current patchwork of legislation.
- Bring US data breach protection into line with Canada, Australia, and Europe.
- Set out a minimum set of rules that all organizations in the US will have to follow.
- Bills that succeed are typically aimed at the government and how it handles information, rather than at corporations.
- States with strong data breach laws will need to work out how to fit their approaches to the law.
- Skepticism – will the bill go anywhere? The last four data breach laws that President Obama brought to the House failed to get enacted. Early soundings are positive, but it’s by no means guaranteed that this will get through the House.
The Personal Data Notification and Protection Act is definitely a step in the right direction, and if it is enacted it will be down to companies across America to step up their cybersecurity practices. Assuming the Act’s success, what can US organizations do to ensure their compliance?
The best way is to implement and maintain an information security management system (ISMS) as laid out in the international information security management standard, ISO 27001.
ISO 27001 presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments.
IT Governance has created four ISO 27001 implementation solutions to give US organizations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.