Data breaches and cyber incidents continue to plague businesses and end users, compromising millions of records each year. Yet, while the volume of these breaches is astonishing, it is sometimes hard to understand what they mean, what a “record” is, and what actions affected companies need to take to resolve the issue and prevent future breaches.
Reporting requirements in the United States are currently administered at the state level. While every state has now adopted some breach notification requirement, with South Dakota being the most recent in mid-2018, the laws are a patchwork of requirements that vary significantly. In addition, industry regulations differ markedly from industry to industry with some possesing no reporting requirements at all.
Because of this, reporting currently does not capture the total number of cybersecurity incidents that occur, nor do they properly explain the severity of each breach. As hackers become more sophisticated, the lack of clear terms around cybersecurity is preventing a better understanding of breach types and the actions needed for protection.
By creating clear terms, definitions and regulations on reporting, the United States can gain greater insights on growing and changing cyber threats that companies face across industries. At the same time, the stigma that current reporting procedures create can be removed by showing the prevalence and true severity of these breaches.