by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : July 2015
32 GCN JULY 2015 • GCN.COM 348 breaches that compromised more than 100 million records, according to the center. At least 32 states have considered legislation this year that would estab- lish or expand data breach policies, according to the National Conference of State Legislatures. The proposals in- clude expanding the kinds of compro- mised personal information that would trigger a notification to consumers and requiring companies to report breaches to state attorneys general. In May, Illinois lawmakers updated the state’s 2005 Personal Information Protection Act to require companies to report breaches to the attorney gen- eral’s office. The updated law expands the definition of personal information to include online browsing details and purchase histories. Illinois Attorney General Lisa Madi- gan said the bill is one of the most com- prehensive in the country. Gov. Bruce Rauner has not said whether he will sign it. “Identity theft is an enormous prob- lem,” Madigan said. “It’s sometimes very difficult to identify, very difficult to clean up, and it can have an enormous impact on somebody’s ability to func- tion in our world.” Twenty-one states and Puerto Rico require companies to report data breaches to the attorney general’s office or another state agency. Three more states — Montana, North Dakota and Washington — have similar laws that will take effect by the end of the year. In Connecticut, considered to be at the forefront of data breach policy, companies have been required to re- port breaches to the attorney general since 2012. Connecticut’s attorney general, George Jepsen, said the law has forced many companies to disclose breaches they otherwise wouldn’t have reported. His office now receives about 400 notifications a year. Most of the breaches are small and not harmful, Jepsen said, adding that Connecticut residents are better pro- tected because his office has the power to investigate the breaches and pursue legal action if companies don’t do what they are supposed to do. “If Connecticut has 400 breaches, I guarantee you there’s no way the feds are going to be looking at all 400,” Jepsen said. “There continues to be an important role for states’ attorneys gen- eral. We’ve got the boots on the ground to do the work.” The ability of attorneys general to investigate breaches and enforce data breach laws holds companies account- able to consumers whose data is lost or stolen, Thaw said. “State attorneys general bring a lot more enforcement resources to bear,” he added. “In this case you have 47 dif- ferent entities, any of which [have en- forcement authority] for a large-scale breach.... That’s a pretty big threat to make sure you report a breach.” A FEDERAL STANDARD Jason Brewer, vice president of com- munications and advocacy at the Retail Industry Leaders Association, said his organization favors a federal standard that would preempt state laws. Reacting to a breach often involves setting up and staffing call centers, communicating with Internet service providers to ensure that email notifica- tions aren’t caught in spam filters and then identifying and reaching out to people affected by a breach, Brewer said. “Part of the challenge is there’s a lot more that goes into notifying than hit- ting send on an email,” he added. The average cost of a data breach to a U.S . company in 2015 is $6.5 million, according to a study conducted by the Ponemon Institute. The average cost per lost or stolen record is $217. Much of that amount — $143 — covers indi- rect costs such as lost customers. The remainder covers direct costs such as technology and legal fees. Edward Marshall, a partner at At- lanta-based law firm Arnall Golden Gregory, represents payment card processers. He said a federal standard would streamline the reporting process and reduce the legal fees for compa- nies, which are often dealing not only with the cost of reporting a breach but also with fallout from shareholders and consumers. “It is a very cumbersome process that I would argue takes away from where the emphasis should be placed,” which is fixing the breach, Marshall said. “I’ve heard a lot of people say when you’ve become a victim of a breach, it becomes your full-time job for a year.” For Eva Velasquez, president and CEO of the Identity Theft Resource Center, there are pros and cons to a fed- eral law. She said a federal law could protect citizens in the three states — Alabama, New Mexico and South Da- kota — that don’t have data breach re- porting laws, but it could provide less protection to consumers in states with tougher laws. • — Sarah Breitenbach is a reporter for the Pew Charitable Trusts’ Stateline. org, where this article originally appeared. DATA BREACHES “Part of the challenge is there’s a lot more that goes into notifying [breach victims] than hitting send on an email.” – JASON BREWER, RETAIL INDUSTRY LEADERS ASSOCIATION 0715gcn_031-032.indd 32 6/30/15 12:15 PM