By Ben Rafferty, Global Solutions Director
According to the Identity Theft Resource Center, in 2017, there were more than 8,190 data breaches in the U.S. alone, exposing more than 1 billion consumer records including Personally Identifiable Information (PII), like social security numbers, credit card numbers, financial data, and even health information.
A Patchwork of Regulations
While data breaches and cyberattacks targeting individuals’ PII continue to rise each year, there is little protection or recourse available to consumers. That’s, in part, because the U.S. does not have a comprehensive federal law regulating the collection and use of people’s personal data nationwide. Instead, it relies on a patchwork system of federal and state regulations as well as both mandatory and voluntary industry standards. Some of these laws and standards enhance the scope of others or clarify grey areas, whereas others can fall short, weaken rules and fines or even exempt certain industries entirely. In some cases, they can even contradict each other outright!
This patchwork system for protecting consumer PII from data breaches and cyberattacks not only fails consumers by putting our information at risk, but it also causes significant headaches for businesses as they struggle to understand and comply with the many different (and ever-changing) rules and regulations. Take the example of an enterprise contact center that accepts payments over the phone. The U.S. Electronics Funds Transfer Act (EFTA) requires organizations to record and retain all telephone conversations that authorize electronic funds transfers, but the Payment Card Industry Data Security Standard (PCI DSS) complicates the matter by dictating how recordings of sensitive payment card data must be stored, and stipulating that the CVV2 code (the three digit security code) on the card must never be stored as part of the recording.
How to Comply?
In an effort to comply with a complicated patchwork of different regulations, many contact centers adopt insecure practices as work-arounds, such as manual “pause and resume” or “stop/start” systems. These systems comply with PCI DSS, but prevent organizations from having a complete call recording, which may be needed in the event of an audit or to adhere to other legislation.
While the U.S. has no comprehensive, federal law for protecting consumers’ PII, the European Union has made moves in the right direction with the General Data Protection Regulation (GDPR). Taking effect in May 2018, the GDPR may in fact be the closest thing we have to a global data protection standard. In essence, it regulates how businesses must treat sensitive data pertaining to EU citizens, regardless of where the business operates. That means even if a company is operating in the U.S., and collects, handles or stores sensitive data on any EU residents, it must still comply with the GDPR.
Lessons Learned from the Equifax Breach
If we take the standards written into the GDPR and apply them, for example, to the massive Equifax breach that occurred in the U.S. in 2017, we would have seen a very different scenario play out. You’ll probably recall that the Equifax breach exposed the PII of some 143 million consumers. While most were Americans, the company did reveal that approximately 860,000 victims were U.K. citizens. So, had the GDPR been in effect at the time, Equifax would have had to comply.
For example, according to Equifax’s notification to individuals last year, it learned of the breach on July 29, 2017, but waited until Sept. 7, 2017, to report it. Under the current U.S. patchwork system of data breach regulations, the timing of breach notification requirements varies from state to state. In contrast, the GDPR states that in the event of a personal data breach, data controllers must notify the proper supervisory authorities no later than 72 hours after becoming aware of it. Certainly, notifying authorities and victims of the breach earlier would have enabled consumers to better protect their PII by closely monitoring or potentially freezing their accounts sooner.
Furthermore, had the GDPR been in effect, Equifax could have potentially faced fines of up to 4 percent of its annual global revenue, or 20 million Euros, whichever is greater. Since Equifax had $3.15 billion in operating revenue in 2016, a post-GDPR breach would have led to the fines of up to $126 million.
Unfortunately for the U.S. victims of the Equifax breach, the U.S. does not have a comprehensive consumer data protection law like the GDPR. However, the U.K. has implemented the European Union’s General Data Protection Regulation (EU GDPR) which came into effect on May 25, 2018. Post Brexit a new UK Data Protection Bill will come into force, which will help to safeguard citizen’s personal data in a new digital age. It’s tough to tell now, but there is a good chance that Equifax will likely face little to no regulatory penalties or other forms of punishment given the timing of the incident.
The increasing frequency of these types of massive data breaches, which span nations and impact hundreds of millions of consumers, reinforces the need for a truly global, unified approach to consumer data protection. The GDPR is a step in the right direction and could serve as a model for a global standard. It will help to not only better protect consumer data, but will also help standardize and simplify business processes for the companies that must comply with it.
Steps in the Right Direction
The U.S. is also making steps in the right direction. In 2017, New York became the first state in the nation to require financial services institutions operating in the state to establish and maintain a cybersecurity program. Because most financial services companies do business in New York, the legislation has the potential to strengthen data security standards across the entire industry.
There have also been increasing efforts to introduce more comprehensive consumer data protection legislation at the federal level. In 2017, Congressional Representatives introduced the Cyber Privacy Fortification Act and the Senate introduced the Data Security and Breach Notification Act, with the goal of creating the first federal standard for punishing data breaches. So far, however, these proposed bills have made little progress.
As a result, the onus is on businesses to do more to keep their customers’ data safe. In the U.S., organizations should look to implement the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) right away. While the framework has existed as a best practice since 2013, it was only recently mandated as federal policy in the U.S.. The framework aims to help standardize practices and ensure uniform protection of data and other cyber assets in the U.S. It’s not just for government organizations, though; it serves as a comprehensive framework and set of policies that can be successfully adapted for businesses in any industry and of any size.
Organizations in the U.S. should also begin using the GDPR as a guide for strengthening their data security standards and breach notification practices. By leveraging these existing best practices and frameworks, businesses will be not only better protecting consumers’ valuable and sensitive information, they will also minimize the risk of a breach and streamline their compliance efforts.
To help contact centers navigate the challenging regulatory landscape, we’ve put together a useful guide detailing all the laws, regulations, and governing bodies organizations must keep track of. Download it here now.