News of proposed US Federal cyber security legislation is already prompting reactions, some for and some against. Specifically, a federal data breach notification rule would impact all organizations, including managed service providers. So, let’s examine more closely what a federal data breach notification law might look like and the opportunities and challenges it could create for MSPs.
What is Data Breach Notification?
Simply put, data breach notification laws deal with how and when organizations must disclose if a data breach took place. The laws typically deal with the types of data covered and the timing of the notifications. Currently 47 states and a few US territories have some form of data breach notification law. There are also various forms of international data breach laws as well.
The benefits of such laws should be obvious. If your personally identifiable information (social security, bank accounts, credit cards, health information) is accessed by an unauthorized third party, you would definitely want to know about it. Knowing your data has been compromised is the first step in protecting yourself after a breach has occurred.
There are, of course, exemptions to these notification triggers. For example, if your data was encrypted when it was accessed, there may not be as pressing a need to notify users since encrypted data is more difficult (if impossible) to access.
Federal Data Breach Benefits & Challenges
Benefits
There are many benefits to having a data breach standard. First and foremost, it allows users who have been compromised to act swiftly and in time to mitigate against any negative side effects. Changing bank accounts, passwords, establishing credit monitoring, are just a few of the ways individuals can safeguard their identities against cyber criminals.
Another benefit of having to disclose data breaches is that it teaches the community about how these hacks are happening and helps IT organizations establish more effective security measures in the future. Naturally, this benefit also applies to MSPs, who can learn from these breaches and help establish policies and procedures for protecting their customers.
Challenges
Conversely, there are a few areas of concern for MSPs should such a US federal law come into existence. MSPs would have to clearly discuss their obligations with customers related to data breach notification. Since many MSPs have extraordinary access to customer networks, it is not unimaginable that a MSP would be the first party to discover a data breach had occurred.
Lastly, and perhaps the most crucial if it ever ended up happening, is the increased monitoring and oversight the US Federal government would have over MSPs and their customers. Granted, this last issue is something which may never happen. However, the question must be asked: why is federal legislation even necessary?
There are currently 3 US states which do not have any data breach notification laws. All the states with major population centers have breach notification laws already. Non of the recent hacks would have impacted users in those states (that I’m aware of), since these hacks have been reported on a global level, effectively notifying everyone. The point is, nearly all the states have data breach notification laws, which may argue against the need for a federal law.
Ultimately, this is a public policy debate and a good one to have. It is, however, very important for MSPs to be aware of these issues (including those non-US MSPs who do business in the US) and be ready for whatever may come.