Data breaches involving consumer data are becoming a common occurrence. Now, in the aftermath of a year where the work-from-home transition opened up new vulnerabilities and large swaths of personal information was needed for health care purposes, lawmakers are beginning to take action surrounding data security.
Two states with governments on largely opposite sides of the aisle, Connecticut and Texas, have each put forward legislation that expands the responsibilities that businesses that have been attacked have to their customers. Each bill is awaiting approval from its respective governor.
Defining 'personal information'
Many of these new laws aren't so much about punishing organizations that have been attacked but defining the parameters for which they are legally required to notify the public. In Connecticut, for example, the state's Senate passed an "Act Concerning Data Privacy Breaches" on June 7. If signed into law by Governor Ned Lamont, the bill would expand the definition of what is legally considered "personal information" and set time limits for businesses to report a breach to the state.
Specifically, the law would define personal information to include online account information, passport numbers, medical information, military identification and health insurance account numbers, amongst other categories, according to the Hartford Business Journal. If a breach of this category occurs, a company must report it within 60 days. The previous requirements stood at 90 days.
In a statement on the bill, Connecticut Attorney General William Tong noted his state's long history of passing data privacy laws while saying that he looked forward to the updates. In 2005, the state passed one of the first such laws in America.
"Since we passed one of our nation's first laws protecting consumers from online data breaches, technology and risks have evolved. This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents," said Tong.
Currently, the bill seems like a shoo-in to be signed by Lamont and passed into law. The act passed unanimously in both chambers of the state's congress and is backed by organizations like the Connecticut Business Industry Association (CBIA), according to the Hartford Business Journal. In a statement of support, CBIA counsel wrote that the new legislation would clarify responsibilities for businesses.
It's possible that Connecticut isn't finished advancing new data breach initiatives. Currently, another bill is making its way through the state legislature that would incentivize companies to adopt National Institute of Standards and Technology (NIST) cybersecurity frameworks. Under the proposed laws companies that meet these best practices could be shielded from litigation in the event that a breach does occur.
A new 'Wall of Shame'
Down south in Texas, meanwhile, legislators also have been taking a keen interest in corporate data breaches. On May 31, the state's legislature passed House Bill 3746, to attempt to address the issue, according to a report from McGuireWoods LLP.
The bill would alter language in the Texas Business and Commerce Code § 521.053 related to data breach notifications. If signed into law, Texas companies that incur a data breach affecting more than 250 Texans would be required to report the attack to the state Attorney General. The Attorney General would, from there, place the companies name on a so-called "Wall of Shame" — a public online list of impacted companies.
The bill states that the Attorney General would be required to update the list on a monthly basis. Companies can be removed from the list after a year, assuming no additional data breaches occur.
As one of the most populous states in the country, the Lone Star State has seen its share of devastating data breaches. In March, the state government terminated one of their Medicaid subcontractors after the company fell victim to a major ransomware attack, according to the Dallas Morning News. More than 275,000 Medicaid users were impacted, the vast majority of them Texans.
Cybersecurity you can trust
Whatever state or industry you're in, data breaches are a major concern. One of the easiest and most important ways to shore up your network is by ensuring all of your applications are protected by modern, secure identity frameworks. This can include multi-factor authentication, and some vendors are even moving to integrate biometric recognition technologies such as fingerprint readers.