Does your business welcome the Data Security Act of 2015?

Data-Law.gifYes or no. If your credit card information was possibly compromised, would you want to know right away?

Seems like a no brainer. But legally, we’re not quite there yet…

Earlier this month, the House Financial Services Committee voted in favor of advancing the Data Security Act of 2015 – a bill that, if approved by Congress, would establish minimum security requirements for businesses and place stricter rules on data breach notifications.

The bill comes on the heels of several newsworthy data breaches at big box retailers over the past few years. Home Depot, Target and Neiman Marcus have all fallen victim to cyber thieves and have come under scrutiny for not taking proper actions. In 2013, Neiman Marcus revealed that 350,000 of its customers’ credit cards had been compromised. Whispers of the hack dated as far back as July that year, but Neiman didn’t disclose the information to their customers until 5 months later in December. Those who brought lawsuits against the retailer argued the store kept the information hush-hush during that time because it was afraid the news would negatively impact their peak holiday shopping season.

The Bill

With grumblings of similar situations at other retailers and lawsuits becoming more prevalent, the bill was proposed in the beginning of 2015. Over the past year, it picked up steam and as of December 9, was advanced by a House panel. Currently, there are 46 states with different laws and guidelines on how to handle a data breach and notify customers. 1 This new act would abolish the different set of standards and would unite everyone under one single provision.

The act2 “requires individuals, corporations, or other non-government entities that access, maintain, communicate, or handle sensitive financial account information or nonpublic personal information to implement an information security program and to notify consumers, federal law enforcement, appropriate administrative agencies, payment card networks, and consumer reporting agencies of certain data breaches of unencrypted sensitive information likely to cause identity theft or fraudulent transactions on consumer financial accounts.”

If passed, the new legislation would increase the maximum penalty that companies could face over lax security measures from $150,000 to $1 million,3 as well as limit companies to a maximum of 30 days to inform customers that their data might have been stolen during a breach. Designed to improve information security programs throughout the country, the bill will mainly impact retailers, banks, credit unions, insurance agencies and any other industries that have access to customers personal and credit card information.

Businesses like the Electronic Payments Coalition are praising the House Financial Services Committee and applauded the decision in a recent press release.

“The Data Security Act of 2015 (H.R. 2205) will ensure that retailers adopt scalable, flexible common sense data security standards that protect consumers’ personal and financial information when in the hands of retailers, which is exactly what consumers want.”

The Opposition

Most banks and credit unions are in favor of the bill because it’s based around existing procedures those companies have already implemented. However, not everyone is thrilled about the regulations being proposed. While most retailers agree with the intention of the bill, some do not believe one stringent set of regulations should be applied to a wide array of industries and small businesses.

The Retail Industry Leaders Association (RILA) sent a letter to members of the House of Financial Services Committee expressing their opposition.

“While our groups take the issue of data security very seriously and are committed to working with Congress to develop a strong federal bill, H.R. 2205 regulates every entity under the Federal Trade Commission’s (FTC) jurisdiction by applying the Gramm-Leach-Bliley Safeguards Rule to non-banking industries. It makes no sense to take one industry’s regulations and apply it to a huge segment of the economy without consideration for how retail, grocery, convenience store, restaurant or small businesses operate.”

Thinking about beefing up your business’s cybersecurity? Learn about iCorps’ Managed Security services.

Managed Security

 

Sources:

  1. http://www.npr.org/sections/alltechconsidered/2014/01/23/265254621/retailers-can-wait-to-tell-you-your-card-datas-been-compromised
  2. https://www.congress.gov/bill/114th-congress/house-bill/2205
  3. http://www.govtech.com/security/Cyber-Monday-Sparks-Data-Security-Bill-Promotion.html

 

You might also be interested in:

With more than two decades of experience, the iCorps IT consulting team is dedicated to delivering excellence to our customers by staying ahead of market trends and understanding new technologies that could impact their business. iCorps delivers superior IT outsourcing and IT support implemented by the best consultants in the BostonPhiladelphia and New York (NY) areas.