InfoSec: Reporting data breaches won't kill your company

ORLANDO - Whenever security experts talk about the rise in data breaches, they never fail to note that the numbers they cite are no doubt low given that many organizations don't report problems out of concern their reputations will take a hit. But the public might be more forgiving than such organizations think.

"[Customer] notifications have not turned out to be as fatal as we once thought," according to Mike Everist, director of legal and regulatory compliance at American Express Technologies, speaking at this week's Infosec World Conference & Expo in Orlando. "It's not the end of your brand."

Everist spoke on "Ensuring customer notification of unauthorized access," a process that more organizations have been forced to put in place since California's SB 1386 law that went into effect in 2003. That law, which requires organizations to notify customers of data breaches, has spawned many imitators (the notorious ChoicePoint data breach in 2005 also played a huge role in spurring other states into action). Now more than 30 states have rules regarding data breach notifications.

The challenge for organizations trying to comply with the patchwork of laws, including federal banking guidance, is that there are a host of definitions covering what data is covered. For example, some laws say notification is required when a combination of personal information, such as a first name or first initial and last name, are exposed along with a Social Security number or credit card number. Some states have added phone numbers, medical information and even biometric data to the mix.

Different states also have different definitions of what should trigger a notification, Everist said. In California, SB 1386 refers to data that has been acquired by an unauthorized person, whereas other states look for the potential of harm, he said.

The obligations for how to notify those affected by a data breach also vary from state to state, Everist said. In California, notice can be provided in written or electronic form, for example, whereas other states specify that notices can be made by phone or newspaper and that law enforcement needs to be alerted.

Everist said he is encouraged that some commonalties seem to be emerging, such as notifications needing to be based on potential harm and encrypted data loss not necessarily triggering a customer notification.

Organizations need to watch and learn from competitors that suffer breaches, Everist said. They also need to broach the subject of breaches with partners to avoid finger-pointing after the fact if a breach does occur, he said. Key decision makers from across your company should be involved in coordinating a customer notification, and in the event of a breach, your organization needs to be able to search its data easily to tell whose data is whose, he said.

In response to a question from an audience member, Everist said he is optimistic about the Payment Card Industry Data Security Standard that organizations like his are pushing companies that handle credit cards to embrace. That fact that many merchants have failed early audits shows that the testing process has some teeth and should ensure that security systems improve, he said.