Plethora of Existing State Regulations and New Federal Mandates on Horizon

“Government regulation has a staggering impact on the escalating cost of a data breach in the United States … the cost per lost record in the U.S. was 43% higher in 2009 than the global average.”  Larry Ponemon, Chairman Ponemon Institute

• While 46 states have regulations concerning how organizations must safeguard sensitive information and/or how they must react should a breach occur, there is a lack of consistency between:
  • Requirements for government notification of a breach occurrence;
  • Rules for notifying individuals whose personal information has been compromised; and
  • Penalties and/or sanctions against organizations that fail to follow government regulations.
• Data Accountability and Trust Act (H.R. 2221), passed by the U.S. House and pending in the Senate, would:
  • Require entities engaging in interstate commerce implement security policies and procedures to protect personally sensitive information;
  • Mandate nationwide notification in the event of a security breach;
  • Require organizations to submit security policies to the FTC upon a security breach or FTC request; and
  • Preempt existing state information security laws.
• Groups can anticipate more aggressive government auditing related to:
  • Health Insurance Portability and Accountability Act;
  • Sarbanes-Oxley;
  • Payment Card Industry Security Standards; and
  • Gramm-Leach-Bliley Act.

“Because pending government regulations focused on safeguarding sensitive information are likely to affect a wider spectrum of industry sectors, information and security executives need to be out-front on their security policies and compliance, as well as detailed response plans and procedures.”  William Besse, Cyber Theft Solutions