An Overview of Data Breach Legislation, PCI Compliance and Website Security
As with many aspects of the Internet, conducting business is a continuous series of determining what works best and what does not. Following the unveiling of electronic payment technology, an enormous surge of identity theft cases emerged. Given that the card issuers had the best view of these issues, they inherited the responsibility to secure the identities of those customers.
However, following data breach legislation, being PCI compliant and maintaining a high-level of website security are critical aspects of being an online merchant. These attributes help keep the business and sensitive consumer data safe.
Data Breach Legislation
Since 2002, the majority of U.S. states have implemented security breach notification laws due to an increasing amount of breaches in consumer databases whereby hackers had access to critical client information.
The first law was implemented in California that requires “a state agency, person or business that conducts business in California who owns computerized data…to disclose in specific ways, any breach of the security of that data, to any resident of California whose unencrypted personal information was acquired by an unauthorized person.” Also, the law allows a delayed notification if it is determined to impede in a criminal investigation.
After this law was enacted and enforced, the majority of U.S. states followed-suit. In each state’s clause is a line that requires companies to immediately disclose a data breach to consumers in writing. Since the implementation of this law, California has added sections that include the breach of medical and health insurance information.
Currently, the National Conference of State Legislatures manages the list of all state-enacted as well as proposed security breach laws. Many bills have been presented to create a national standard for data security breaches but none have passed.
In the European Union, breach notification laws regarding the Directive on Privacy and Electronic Communications (E-Privacy Directive) were implemented in 2009 as a national law among all countries.
“At least 19 states have introduced or are considering security breach legislation in 2014. Most of the bills would amend existing security breach laws. Kentucky’s legislation, however, would create requirements for notification of breaches in that state. Only four states–Alabama, Kentucky, New Mexico and South Dakota–do not currently have a law requiring notification of security breaches involving personal information.” For Full List: http://www.ncsl.org/research/telecommunications-and-information-technology/2014-security-breach-legislation.aspx
Recent Security Breaches
Since 2010, some of the worst data breaches in history occurred including:
- Massive American Business Attack (2011)
- Heartland (2008)
- Sony PlayStation Network (2011)
- Target (2013)
Massive American Business Attack
In 2011, a huge cyber-attack that resulted in the vulnerability of RSA SecurID tags targeted over 760 organizations including Google, Facebook, Microsoft, Cisco, Yahoo, Intel, IBM, the European Space Agency, the IRS and a fifth of Fortune 100 companies. The cyber-attack implanted malware into RSA’s systems allow them to gain full access to their consumer’s networks.
Affecting almost 134 million credit cards in 2008, the Heartland data breach occurred because of a vulnerability to SQL injection. Security analysts were well aware of this hole and warned retailers to patch it for several years. Unfortunately, many retailers ignored the warning resulting in the most common form of attack against websites at the time.
Sony PlayStation Network
Impacting 77 million PlayStation Network accounts, this hack is said to have lost Sony millions of dollars while the site was down for almost a month. This has been labeled as the worst gaming consumer data breach in history. The attackers gained access to entire names, passwords, emails, home address, credit card numbers and other critical information.
Most recently, attackers hacked the Target system which revealed millions of Target customers’ credit and debit card numbers during the holiday shopping season. Within hours of finding out about the breach, tens of thousands of worried Target consumers jammed the phone line that was setup to manage those concerns.
Merchant Responsibility to be PCI Compliant
As a result of these data breach laws and the brutal attacks on businesses, gaming networks and retailers, merchants have a responsibility to be PCI compliant. The size of the business will determine the compliance requirements that must be enacted. The enforcement of merchant compliance is conducted by individual payment brands. Companies who are not PCI Compliant and experience a data breach will be held accountable by credit card companies.
The PCI Data Security Standard (DSS) are a set of requirements for security management, network architecture, proper software design, policies and procedures to ensure protective measures are met. To be compliant, merchants must follow the 12 requirements within the standard. Since PCI DSS is a continuous process, it is important to constantly assess the operations, identify any vulnerability and fix them immediately.