“Not if, but when.” These simple words are enough to keep corporate counsel, compliance officers and IT managers up at night when faced with the reality that their network will at some point be breached. This is no surprise given the spate of corporate breaches and unauthorized network intrusions reported in recent years as well as the costs, reputational harm and investigations and lawsuits that follow in their wake. While there are no silver bullets to stop breaches from occurring, understanding and following legal actions brought by regulatory agencies and heeding security guidance they issue could go a long way in preventing security lapses and unauthorized attacks.
There is no omnibus federal law that prescribes the level of security that companies must use to protect consumer information. Instead, Congress has identified certain categories of sensitive data that warrant regulation, such as health and financial information, and online information collected from children under 13, resulting in the Health Information Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act, respectively.
