Member Article
A global data breach notification – how long should you wait?
Across the globe, there are a range of laws designed to protect consumer data. While the scope and requirements of each piece of regulation varies between regions and countries, they all have a broad set of fundamental requirements to which businesses need to adhere. Central to this is what organisations must do when a breach has occurred. One of the key elements of this is the idea that notifying those affected by a breach can reduce the harm that the leak of personal data can cause. Data breach notifications also have broader implications, in that they force companies to take more responsibility for any harm caused by a data leak, rather than sweeping it under the carpet.
While many businesses are making great strides in protecting themselves against data breaches, all this hard work can be undone when a breach occurs. It’s impossible to guard against everything, so it is important to know exactly what to do once a breach happens. A delay in notification or failure to follow the correct procedure can have disastrous consequences, even if everything else is carried out to the letter. While requirements differ across jurisdictions, knowing the minimum breach notification standards across the globe ensures businesses aren’t caught out.
Notification Requirements
While the concept of a data breach is a fairly universal principle – personal, identifiable data being leaked into the public domain – the concept of notification is less well defined. The first data breach notification law was passed in California in 2002 and since then various countries have tried to implement similar requirements. However, the picture still isn’t clear cut. If you take for an example the UK and EU, it’s clear that businesses need a deep understanding of the nuances of the legislation:
There is no general requirement under the UK’s Data Protection Act (1998) to notify breaches to affected individuals or the Information Commissioner’s Office. However, the ICO recommends that for serious breaches they should be notified, with the overriding consideration being the potential harm to individuals. However, the EU already has a data breach notification requirement in place for the electronic communication sector with the Privacy and Electronic Communications Directive 2003. This requires them to notify a specific national authority and any individuals concerned when the breach is likely to adversely affect personal data or privacy. The situation in Europe is set to become more confused when the EU General Data Protection Regulation comes into force in 2017, as it will apply to all personal data being used by businesses operating in the European Union. It will require the company suffering from the breach to notify the authorities without undue delay and to notify every individual that has been adversely affected.
The situation gets even more complicated when you look further afield. The German Data Protection Act requires both the affected individual and the regulator to be informed, but only depending on the type of data and the severity of the breach. In the United States, there is no federal standard, despite calls for this, and as a result each state has its own variation on the state of California’s original data breach notification law.
Ensuring compliance everywhere
Even from this small snapshot of data breach notification requirements, it’s clear that depending on where a breach occurs and the nationality of those affected, there’s a wide variety of standards to be adhered to. As a rule of thumb, your data breach protection policy should be focused around the idea that in the event of a breach, you should be prepared to tell everyone that has been affected by the breach as quickly as possible.
While the principle of ensuring compliance sounds theoretically feasible, when you put it into a real world context it quickly becomes apparent that there are a number of challenges to doing so. The first problem is establishing exactly what has been leaked. If a mobile device is lost, it is difficult to confirm whether it has been stolen or simply misplaced. As a result, you can’t tell if data on the device has been accessed or accurately determine what, if any, data has been compromised. In many jurisdictions the authorities would look unfavourably on a company that can’t confirm the severity of the breach.
The second problem is notifying the authorities and affected parties within the correct timeframe. The challenge is knowing when the breach occurred. If a device was lost and data breached on a Friday evening, and the employee doesn’t inform the IT department until the Monday morning, that’s over 48 hours where nothing has been done to rectify the potential impact of the breach. Given the EU GDPR’s requirements for notifications to be made without ‘undue delay’, and that the ICO’s overriding concern is the potential harm it causes, a delay of this length can be perceived as demonstrating negligence.
Knowledge and technology is key
Ultimately, to ensure compliance with all global data breach notification regulations you need to be able to accurately say whether a breach has occurred, what information has been exposed, and how many people are affected by it. The only way this can be done effectively is by having the technology in place to encrypt device data, track stolen or lost devices, confirm whether the data has been accessed, and then wipe the device if it can’t be retrieved. No matter how it is done, organisations need to demonstrate to their specific regulators that they’re in control of the situation when a breach has taken place. Being unable to do this makes financial and reputational damage from a breach that much greater and more likely.
This was posted in Bdaily's Members' News section by Stephen Midgley .