Missouri is one of the few states remaining in the US that still does not have a data breach notification law. This is set to change, though, if Senate Bill 207 passes. Like the original bill that started it all (California SB 1386) Missouri SB 207 will provide an exception to public notifications if the information is protected using data encryption tools like AlertBoot encryption software.
If the bill passes (it received initial approval, according to the St. Louis Business Journal) as is, the state Attorney General would be able to levy fines of up to $150,000 per security breach, or if an investigation finds a series of breaches that are similar in nature.
I take it that means that if an incident similar to Heartland Payment Systems develops, the cap would be set at $150,000, as opposed to $150-grand per account. Which is pragmatic and sensible.
The estimated– exaggerated?–numbers of accounts affected in the HPS incident is 100-million. If it were $150,000 per account, the maximum fine would be $15,000,000,000,000. That’s fifteen trillion dollars, or more than the estimated US national debt as of 02 Apr 2009 at 11:29:06 PM GMT (thank you, US national debt clock): $11.2 trillion and change.
No way any company would be able to foot that bill.
On the other hand, $150,000 is probably a drop in the bucket for a company like HPS, or any companies that are in the Fortune 1000, recession or not. I’m too lazy to dig up their 10-Ks, but I’d imagine top management would get paid something similar in terms of salary alone.
Preventing Data Breaches
All of this being said, the trick is not to have a data breach. This way, you keep the $150,000; don’t get sued by the state; and don’t have irate customers banging down on your doors. It’s win-win-win. And how do you do that?
Well, most information security professionals will tell you there’s no way not to have a data breach. And they’re right (anyone who tells you otherwise is trying to sell you something). But, they’ll also tell you there are ways that will allow you to significantly decrease the risk of a breach.
One of these happens to be the use of data encryption software, which I assume is why the bill will give breaks to companies that secured private, personal data with encryption. There are other products as well (which, depending on what data you collect, and how you use it, may be obligatory if you really want to protect data).
Yes, it costs money to implement such tools. Yet, chances are that signing up for managed encryption software is a cheaper alternative to getting sued by the state AG, or having your customers start frequenting your rivals’ venues.
Related Articles and Sites:
http://www.senate.mo.gov/09info/pdf-bill/comm/SB207.pdf (PDF file)