Breaking News Emails
When it comes to cyber security, there is one universal truth: Everything is hackable. Beyond that, approaches for keeping consumer data safe and standards for reporting breaches wildly vary.
As the United States grapples with fallout from the worst cyber security incident in history, Europe is getting ready to hold companies accountable under a new set of rules designed to prevent a breach on the scale of Equifax from ever happening and it ever did, to minimize the aftermath.
"In general, the Europeans have a less skeptical view of their governments and tend to be more skeptical of companies. In the US, it tends to be the other way around, " said Michael Daniel, president of the Cyber Threat Alliance and former cyber security coordinator in the Obama administration. "That has certainly affected the speed in which these things have developed."
Follow the Rules or Pay a Fine
General Data Protection Regulation (GDPR), as the new European rule is known, takes effect next May. The GDPR covers how companies store your data, and requires them to alert authorities within 72 hours of a breach. If companies don't comply, they can be fined 4 percent of their global revenue or 20 million Euros — whichever number is higher.
Every American company that handles a European citizen's data will also have to be in compliance.
The new rules are "putting the onus on the companies to understand how they are managing customer data and concerns around privacy," Rohit Ghai, president of RSA, a global security company, told NBC News.
With the Equifax cyber attack affecting the personal information of as many as 143 million people, the question of whether some sort of regulation is needed in the United States is once again being asked.
"I keep thinking this will be the breach that gets people to make some changes and creates the legislative momentum. It's hard to say because we have seen some of these breaches before — but I do think it will add to the growing litany for a standard of care," Daniel said.
"We wanted to do things on our own without being regulated to death, but I'm afraid we have reached a point where we have to do something."
But deciding on what that standard of care is — and how it may differ between the neighborhood pizza shop that collects email addresses for its deal of the day and a behemoth like Equifax — is part of the challenge.
"You [Equifax] are a giant company whose job it is to manage data... Equifax seems to not have done some things well that you would expect. That is what the idea of a standard of care is," Daniel said. "We would expect a company holding sensitive data to meet a high standard of cyber security. What we don't really have yet is that sense of 'What is the standard of care' in different industries?"
Over-Regulation Hasn't Helped
Despite high profile breaches — from Target to Yahoo — legislation to toughen data protection standards hasn't gained traction, but it's not for lack of an effort.
A search for "cyber security" yields 141 pieces of legislation — including bills and amendments — that have gone before the 115th Congress with those words in the title or body and cover a variety of areas.
Rep. James Langevin (D-RI) introduced a bill in 2015 that called on companies to report data breaches within 30 days of discovery. In addition, they would have to notify consumer reporting agencies and major media outlets if the number of people affected exceeds 5,000.
"In the U.S., there has been a ton of regulatory burden over the last several years, so in general the sentiment from a business climate perspective is we are too heavily regulated," Ghai said.
Mark Weatherford, chief cyber security strategist at vArmour and the former deputy undersecretary for cyber security in the Department of Homeland Security, told NBC News he would "rather see the market work than regulation force us into something, because there are always unintended consequences."
"In the United States, we have a history of being cowboys...We wanted to do things on our own without being regulated to death, but I'm afraid we have reached a point where we have to do something now because it's obvious we are not doing enough."
Is Europe the Best Example?
But it would be wrong to think Europe's exact rules could work in the United States, the experts said.
In addition to having a culture that tends to buck regulation, the three-day breach reporting window has also received some scrutiny and raised some questions as to when the timer would start.
"My general experience is it takes multiple days or weeks to really get your arms around what has happened and to balance this against what the adversary is going to do with the data," Daniel told NBC News. "The return on the value of the data decreases rapidly, but on the other hand you also very frequently learn a lot more when you really dig into the forensics."
Weatherford and other cyber security experts NBC News spoke with agreed there's likely to always be some sort of discussion as to whether and how regulation should play a role in cyber security. However, they agreed that it may be difficult to actually get anything passed in the current political climate. That means Europe may end up — at least slightly — becoming our cyber savior.
Each American company that has to comply with Europe's data protection rules won't have to hold non-European customers' data to the same standards of care if they choose not to. However, there's a strong possibility companies may choose to treat everyone's data like it is European.
"I could see some companies operating on the basis of the most restrictive regime and treating everyone's data like they're European," Daniel said. "That could be one strategy, but I don't know if all companies will go in that direction."
Weatherford agreed. "I am not sure a company is going to say we went through the expense of putting together a security infrastructure to protect data, why should we segregate it like that?" he told NBC News.