scope:

Data security breaches continue to put millions of consumers at risk. Protecting consumer information is a shared responsibility for all parties involved including legacy and cloud service providers, organizations that store, transmit, or process consumer information, financial institutions, and individual consumers. This standard provides requirements, recommendations, and information regarding consumer information, data protection, and breach notification. This standard is organized into two parts.

X9.141 Financial Service Data Security Breach

− Part 1: Data Protection

− Part 2: Breach Notification

Topics addressed within the scope of this standard Part 2: Breach Notification include the following.

• Data Operations Framework

• Data Breach Processes

• Breach Requirements

Topics considered outside the scope of this standard Part 2: Breach Notification are the following.

• International laws and regulations pertaining to data protection or breach notification.

• Federal laws and regulations pertaining to data protection or breach notification.

• State laws and regulations pertaining to data protection or breach notification.

• Contractual obligations pertaining to data protection or breach notification.

While the breach notification requirements and recommendations provided in this standard are for the financial services industry, this standard can be applied to other industries.

Purpose

Data stolen in data breach compromise events varies widely and includes not only information specifically related to payments (e.g., payment card numbers, expiry dates) but also a wide variety of non-financial personal data (e.g., social security numbers, healthcare information, passwords). Criminals use the stolen data to commit fraud and re-sell the stolen data to other criminals. In addition to fraud losses, these events cause consumers and businesses significant additional expense and inconvenience.

Key drivers of data breach compromise events include, but are not limited to: (1) the growth of remote commerce; (2) the vast amounts of sensitive personal data that is being electronically shared and stored; (3) the wide variety of entities that handle and store such data; (4) the increased sophistication of hacking tools available to criminals; (5) the complex interconnections among internet-enabled systems that provide criminals with myriad ways to break into data storage units; and (6) the vulnerabilities of data protection tools and practices (used by businesses and individuals) to keep up with criminal attack vectors.

The increase in data compromise events has resulted in a commensurate increase in the need to notify individuals about such events, so they can take appropriate action. The need for breach notification has been recognized by governments in all 50 US states and additional US territories, where laws have been passed mandating the terms of notice to individuals about the unauthorized access to their personal information. However, the approaches taken are not uniform. There is considerable variation among the many jurisdictions in the legally required terms, conditions and time limits for breach notification.

The variations in legal requirements may cause several different problems. Consumers in different jurisdictions may be treated unequally and some may be disadvantaged. Companies that must comply with multiple different legal requirements face added costs. The additional complexity of differing legal requirements is likely to cause confusion or errors that compromise the notification process. Criminals may target acquisition of personal information by focusing efforts on entities in jurisdictions with relatively weak notification requirements, to improve their chances of using stolen data to commit fraud before the victims take protective action.

This standard presents a model for data compromise notification (and related definitions of terms) that reflects the best practices based upon a review and analysis of current laws in all US jurisdictions. Its purpose is to provide all stakeholders with requirements and guidance on how to best handle the complex issues surrounding breach notification, as well as to inform legislators nationwide about how to optimize and rationalize their collective approach to data breach notification. Moreover, the purpose of this standard is to improve public well-being by providing all consumers and businesses with a single timely, clear, and effective process for notification of data compromise events. Finally, the standard is intended to improve the efficiency of commerce by facilitating alignment and consolidation of differing data breach notification requirements.

The objective of this standard is to provide a template for optimal data breach notification terms, procedures, and timelines that should be adopted and implemented.

The goal can be achieved by encouraging widespread distribution and implementation of this standard throughout the population of primary stakeholders. In the broadest view, everyone is a potential stakeholder because each individual has personal data stored by public and private entities, and therefore everyone is at risk of having (and perhaps in the long term are likely to have) personal data compromised. However, as a practical matter, the primary stakeholders for this standard include but are not limited to:

• Banks, credit unions, and other financial services providers, including acquirers, issuers, processors, and payment gateways;

• Trade associations that represent financial services providers;

• Employers;

• Communications networks including but not limited to payment networks;

• Data storage entities;

• Merchants;

• Non-bank financial technology companies;

• Public interest groups focused on consumer protection;

• Security solution providers; and

• Social media companies.

The purpose of this standard is to provide a common set of cybersecurity requirements as they pertain to data protection and breach notification for the financial services industry. However, it is recognized that other industries might apply these same cybersecurity requirements within their own market segments.