Data Breach Laws are Increasingly Common, do they make a Sufficient Difference?

It's every consumer's worst nightmare: You open your email to discover a data breach notice from a company that you don't even remember creating an account with. You certainly appreciate receiving the heads up, but is it really enough? Some consumer advocates and business leaders might argue that an apologetic email message falls far too short. 

As of this article's publication, data breach laws have been implemented or passed in all 50 US states and many modern nations. Unsurprisingly, many private citizens and professional consumers assume that this means their information is safe. 

In reality, the law doesn't necessarily incentivize companies to keep data secure. Are lax regulations failing our information-driven society? 

Rules Need Consequences
New data protection policies would be meaningless without sanctions for brands that fail to comply with them. All of these policies have stringent fines for organizations that fail to take adequate measures and these fines are likely to be strengthened as more data breaches get national attention. 

Rules only work when they stop people from doing bad things. For instance, Alabama's 2018 Data Breach Notification Act prohibits companies that experience breaches from leaving affected users in the dark. Instead, organizations that collect, store or process data must take steps like maintaining safeguards and designating responsible employees to oversee and manage security measures. 

The safeguards need to be updated over time as technology progresses. One of the biggest changes is the growth of the Internet of Things (IoT). Brands need to understand how to develop an IoT framework with security in mind. 

Too much wiggle room?
The problem with many data breach rules is that they lack the bite necessary to be effective. For instance, the National Law Review points out that even though Alabama's legislation lets the state attorney general fine noncompliant companies and file consumer lawsuits, there are no predetermined or mandatory criminal penalties.

In other words, a company can easily get away with sidestepping meaningful punishment as long as it has money to burn on fines and lawyer fees. 

The Perils of Weak Enforcement
The idea that data security laws lack punch isn't just idle speculation. In 2017, Equifax told the American public that it had exposed the data of 148 million people, or about half of the entire US population.

About six months later, a US Senate report revealed that the Consumer Financial Protection Bureau, or CFPB, had received 20,000 complaints about Equifax since the initial breach announcement. 

While some might say that the CFPB simply hasn't had sufficient time to act, observers note that things don't look good for consumers. CFPB head Mick Mulvaney is on the record as being against regulations aimed at businesses. Even more damning, he said that he wanted to make the CFPB's complaints portal private.

If this proposal goes through, the general public could soon lose the ability to hold companies and regulators publicly accountable for their actions without Equifax ever having paid the price for its misdeeds. 

The Outlook for Companies
Imagine that you were a point-of-sale software vendor. If your products were implicated in one of the many retail data breaches in the past few years, then your credibility would have suffered along with your clients' reputations.

Consumers might not come to regard you with the same hate they hold for Equifax or Facebook, but the business community would be well within its rights to blacklist you. 

Consumer goodwill ultimately demands trust, and time has proven that you can't always trust companies to do the right thing. Even though some people automatically assume that more regulations are always bad for business, this view lacks nuance, especially for those whose business models depend on safe data products.

If your company relies on a third-party user credential service, do you really want to run the risk that your provider didn't secure their databases because they thought they could get away with slacking off? 

Comprehensive security governance is far less expensive than having to rebrand or close up shop for good after your consumers come to hate you. While it's tempting to lobby against tighter data security legislation, it has the potential to make the IT industry more accountable overall, and that's never a bad thing.

Ryan Kh is an entrepreneur & startup investor. Founder of Catalyst For Business and managing editor for He is passionate on covering topics like big data, data security, business intelligence & entrepreneurship. 

What’s Hot on Infosecurity Magazine?