The explosive growth of e-commerce has made it as easy to do business with a customer across the country as with one across the street. Lightning fast Internet access, mobile and handheld devices, cloud computing and a host of other technology innovations make it possible for businesses to do business online, whether they’re small, medium or large in size.
The e-commerce market continues to grow at a double-digit rate each year. In 2013, online retail sales in the U.S. are projected to reach $258.9 billion, according to an April report from eMarketer. The B2B e-commerce market is even larger – $559 billion by the end of this year, according to Forrester.
This is great news for individual businesses and the broader economy. But the proliferation of new technology options for e-commerce has also brought into focus the need for new “rules for the road” for the Internet economy. One such area is the current jumble of state laws that regulate data breach notification requirements.
In response to a steady stream of high-profile incidents in which private information about consumers was disclosed to unauthorized parties, 46 states and the District of Columbia have adopted data breach notification laws. These laws spell out the requirements for notifying consumers when their personally identifiable information (PII) has been breached. In theory, each of these laws individually is designed to protect consumers and guide and regulate businesses, two worthwhile and necessary goals.
In reality, this patchwork of state laws complicates and confuses the notification process for consumers. Businesses must understand, keep track of and comply with the laws of many states. This requirement places a heavy burden and added costs on business of all sizes, but particularly for small and medium-sized businesses (SMBs).
Consumers and employees take their mobile and handheld devices with them almost everywhere they go. They’re accessing their data from remote locations without concern or regard for jurisdictional boundaries. Thus, a data breach can happen at any number of places during the stream of commerce, making it virtually impossible to know which state data breach notification rule applies to a possible breach of customer data.
Consider the case of the Massachusetts data breach law, which follows a Massachusetts resident around regardless of whether they are in the commonwealth, an adjoining state or across the country. What happens if that Massachusetts resident is the victim of a data breach while on a business trip to California? Which state law takes precedence? Or what if the breach occurs in one of the four states that do not have a state data breach law? It’s confusing for the individuals who are the victims and for the company that may be the source of the breach.
The burden of multiple state laws is especially harsh on SMBs, which make up the vast majority of the Internet-based economy, but typically have limited resources in terms of capital and personnel. This makes it challenging for and SMB to know with confidence that they are in compliance with the various data breach notification requirements.
A national data breach notification framework would demystify a lot of the confusion of multiple state laws. It would provide consumers and businesses with consistency and predictability on how consumer notice must be provided. Consumers would receive timely notice that a breach of their PII has occurred. Businesses could be confident that they have taken prudent measures to comply with standard requirements and provide notification in the event of a breach.
A new CompTIA whitepaper examines the data breach issue in more detail and spells out the case for a national data breach notification standard.
Through its Public Advocacy group and its partnership with TechVoice, CompTIA supports strict standards for the protection of consumer data and full and timely notification to consumers of any breach of their PII. CompTIA works with its membership to keep them informed of requirements and best practices for complying with those requirements. Notice of a breach of PII is a fundamental consumer right that must be protected. This right will be furthered by a national data breach notification framework and training for both businesses and the IT industry’s solution providers.
Scott Barlow is chair of the CompTIA IT Security Community and vice president of sales and marketing for Reflexion Networks, Inc. of Woburn, Mass., a provider of cloud-based services for email security, email archiving for e-discovery and recovery, email encryption and business continuity.
