In his October 17 speech, the President called on Congress to establish “one clear national standard that brings certainty to businesses and keeps consumers safe.”
As acknowledged by the President, separate state laws currently govern data breaches, leaving in the lurch the many American and foreign businesses that operate across state lines. A data breach might require a corporation to comply with as many as 47 different state notification laws.
As a result, corporate victims of cyber-attacks are required to provide different information at different times to their consumers. A national data breach law would bring uniformity to the breach notification process and would clarify the obligations of corporate actors.
Some key takeaways based upon National Cybersecurity Awareness Month:
- Retailers, banks and other financial institutions, telecom companies, and other businesses that handle payments of any form should consider transitioning to chip-and-PIN technology and adopting other enhanced security measures. These efforts will require detailed assessment and planning and continued research into and monitoring of government and industry standards.
- Businesses that are potentially affected by identity theft or fraud should consider enhancing their theft or fraud detection, guided by government and industry standards. Because these standards evolve every day, it is important to monitor the shifts in policies and practices. Businesses should also stay abreast of developments within the federal government and by agencies and law enforcement in this area, as the October 17 executive order signals many such developments to come.
- Given the Administration’s indication that its next focus will be mobile payment systems and devices, businesses affected by those systems and devices should stay alert for opportunities to give input or comment in any policy or standard-setting process and should watch for evolving standards in that area.