Data breaches: mixed picture for regulation

Regulations governing disclosure of data breaches vary across the world - and so do the costs of declaring a breach.

In the US, the federal government has taken a relatively hands-off approach when it comes to imposing data breach laws. There are disclosure rules in the financial sector, and in healthcare under the HITECH Act, which was imposed as part of last year's stimulus package. But there is little else at a national level. Europe has an e-Privacy directive, 2009/136/EC, enacted last December, although it targets only ISPs and telecommunications companies. The Council of Ministers for the EU has backed an extension to the notification directive which would include or online service providers, such as banks. However, member states have largely opposed the law.

That said, things are happening at a more granular level. In Europe, some countries are also taking matters into their own hands. For example, Germany passed its own data breach notification laws last summer. And in the US, all but four of the states have enacted some form of data breach law of their own. Some have gone above and beyond the norm. The state of Massachusetts, for example, has now implemented extensive data protection laws, tackling the issue of prevention, as well as post-breach governance. Businesses will have to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices. Any personal information transmitted over public wireless networks must also be scrambled.

According to a new report from the Ponemon Institute, the cost of a data breach was significantly higher when a company resided in a country with national data breach notification laws, or conditions that make it difficult not to disclose data breaches. The 2009 Annual Study: Global Cost of a Data Breach report measured the cost of data breaches by surveying corporate partners.

The Ponemon Institute argue that even though a company suffering a data breach will not be required to disclose it by the Federal Government in the US, so many individual states will require the company to make a disclosure, that it effectively creates a national law by default.

For example, in the United States, the cost per lost record is 43% higher than the global average. In Germany, the costs were second-highest, coming in at 25% above the worldwide average. Australia, France, and the UK, which currently have no data breach notification laws, enjoyed data breach costs below the world average.