GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Mobile privacy hot topic in Washington


Industry Update

Washington getting serious about cyber privacy

PCI DSS effectiveness questioned

Bling Nation may rise again

The Green Sheet gets resourceful


An interview with Trent Voigt

Ken Musante
Eureka Payments LLC

Research Rundown

Advisory board benefits

Selling Prepaid

Prepaid in brief

Prepaid scores in stadiums internationally

David Parker
Polymath Consulting Ltd.

Paying bills with gift cards


Data breaches renew privacy concerns

Patti Murphy
The Takoma Group


Street SmartsSM:
Timely tips for MLSs

Bill Pirtle
MPCT Publishing Co.

Will POS control solve merchant attrition?

Jerry Cibley
United Bank Card Inc.

Fraud, the conversation starter

Nicholas Cucci
Network Merchants Inc.

Counterintuitive selling

Dale S. Laszig
Castles Technology Co. Ltd.

Deciphering breach notification regulations

Tim Cranny
Panoptic Security Inc.

Company Profile

eProcessing Network LLC

Moneris Solutions Inc.

New Products

A button so smart, it connects the world

Alternative Payment Smart Button
2000Charge Inc.

Network security for small merchants

SecurityMetrics Vision
SecurityMetrics Inc.


What a difference a birth date makes


10 Years ago in
The Green Sheet


Resource Guide



2011 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

June 27, 2011  •  Issue 11:06:02

previous next

Deciphering breach notification regulations

By Tim Cranny

When most people think about security, Payment Card Industry Data Security Standard compliance and breach prevention typically come to mind. But just as important, knowing what to do after a breach occurs can make or break a company. In this article, I will focus on breach notification and address the critical questions of how, when and why, as well as what to tell your customers, partners and others who might be impacted by a breach.

An unavoidably messy issue, breaches involve the law, politics, psychology and customer perception issues, which can be difficult to measure or pin down, but the topic is especially timely. Recently, we've seen a series of major breaches (some of which were badly mishandled) and the White House just released a breach notification proposal to create a consistent national framework for how businesses must notify customers and others affected by a breach.

Four key points about breaches

When considering a breach notification plan, it's important to understand:

  1. It can happen to you. Investing time and money on security is a business necessity. But while preventive action can make you safer, it won't make you invulnerable. You also need to have a plan in place should anything go wrong and a breach occurs.

  2. You must follow the law. You don't have complete freedom in determining your response to a breach. A multitude of state and national laws specify what you must do and when. In particular, the laws prevent you from sweeping the problem under the rug by making an obscure announcement that nobody will read. Most breach notification laws specify that you must contact affected individuals directly via mail or phone, with exact wording, and within a specified time.

    Many such laws also state when you must take public action, like placing notices in newspapers and on your website. State laws typically apply to customers affected in that state, so it's likely you would have to concern yourself with individual state laws in addition to laws from your own state. The federal government is moving toward a single national notification rule, but that will take time to be constructed and implemented.

  3. Monetary costs can be enormous. The financial costs of a security breach extend far beyond formal fines imposed by law. Breach notification laws often include explicit per diem dollar amounts (for example, the proposed federal law includes the option of penalties of $1,000 per day per record stolen, with a ceiling of $1 million if the incident was not willful or intentional).

    However, breaches inevitably bring a range of additional expenses, like the costs of offering victims free credit monitoring; recovery of electronic records; and dealing with the support, communication and legal issues that enter into play. Analysis of previous real-world breaches shows these additional costs are unavoidable and often end up being far greater than the explicit fines or penalties defined by legislation.

  4. Nonmonetary costs can be significant. Breaches regularly cause massive disruption to a company, both in terms of the time and distraction to management and staff, and the damage done to the company's brand and reputation. It can take years (if ever) to recover from a breach, and while the statistics are blurry, a significant percentage of companies that suffer a security breach don't survive the experience.

Quick analysis of the federal proposal

Now let's review the White House legislative proposal in a little more detail. First, in its current form (which will likely change after this publication goes to press), the proposal is light on details; many such critical details will emerge either during the drafting of the bill or even later as the Federal Trade Commission creates implementation rules.

Second, there is extensive discussion occurring among experts about whether the definition of "breach" is accurate. The proposal says that a breach is any theft, compromise or misuse of "sensitive personally identifiable information," which means any of the following:

A number of experts feel that the above definition is too narrow (and it isn't hard to think of information that you as a customer wouldn't want stolen, but which wouldn't trigger a breach notification according to the above definition).

Third, the proposal is fairly narrow in scope and would only apply to businesses with the designated types of information on 10,000 or more individuals in any 12-month period.

Fourth, the proposed law would supersede the multitude of state laws out there, giving organizations a single target to worry about.

Safe harbor directives

In addition, the federal proposal describes several "safe harbor" provisions, which essentially say you escape the worst obligations of breach notification if you meet certain circumstances. The main safe harbor situation is one where the records have been encrypted and therefore cannot readily be accessed by a thief, and the company has comprehensive logging in place to track what happened and when.

In this situation the company must still base its decision on a formal risk assessment and notify the FTC, but they're not required to send notification directly to affected customers.

Furthermore, financial institutions that have only had credit card numbers (that is, no names, etc.) exposed also have a special safe harbor. They are exempt from the consumer notification requirements as long as they have a security program that does two things:

  1. Stops an attacker from using the stolen information to initiate unauthorized financial transactions before they are charged to the account of the individual

  2. Provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions

While the details are still being worked out, every company needs to recognize that breaches are a genuine risk. How they are handled can mean the difference between life and death for businesses affected. The rules are tightening, and failure to handle the situation carefully is becoming increasingly dangerous for businesses, both legally and financially.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios