America Debates The SAFE Act

This week security experts in America are discussing the implications of the proposed new Secure and Fortify Electronic (SAFE) Data Act. The Act has been approved by the House Subcommittee on Commerce, Manufacturing and Trade and has now been passed to the full committee for consideration. The Act would require companies that possess personal data to implement policies and procedures to protect personal data including:

  • A security policy for collection, use, and dissemination of personal information
  • Identifying a person to be responsible for managing information security
  • A process for identifying foreseeably vulnerabilities, including regularly monitoring to detect system breaches
  • A process for taking preventative action to mitigate any identified vulnerabilities
  • A process for disposing of data on paper and in electronic form.

Additionally the breach notification requirements of the Act state that companies, which suffer a breach, must inform individuals whose personal data that been accessed or acquired within 48 hours.

Notice is not required however if the breach presents ‘no reasonable risk of identity theft, fraud, or other unlawful conduct’ to the affected individuals.

This 48-hour issue is a particular point that experts have been debating intensely. Many experts believe that enforcing such a 48-hour rule could be problematic. The time period may not give organizations enough time to properly assess the breach, and there is a danger that individuals could be warned about a threat that actually does not affect them. On the other hand, if organizations left informing customers of a breach too long, they risk inflaming their customers further and increase the potential for brand damage. It’s a tricky balancing act, and one which will no doubt not be resolved quickly.

There is one certainty however. All organizations should have a business continuity plan in place. Without one, the impact of a cyber attack or data breach will spiral quickly out of control. It is necessary to quickly react to an incident, with a clear plan of establishing what has happened, how to repair the damage and most importantly keep your critical assets and services running.

IT Governance offers a range of books and tools to help you create an effective business continuity plan, including the BS25999 Business Continuity Management System Toolkit.