When should an organization report a data breach?

From May 25, 2018, compliance with the EU General Data Protection Regulation (GDPR) will be mandatory for organizations that process EU residents’ personal information. The Regulation joins a number of US federal and state laws that hold organizations accountable for mitigating and managing information security risk.

No matter what its size or cybersecurity posture, your organization is vulnerable to cyber crime and data breaches. Under federal, state, and international laws, once organizations become aware of a breach they have a certain amount of time to report it to the relevant supervisory authority. Sitting on an incident without reporting it puts organizations at risk of legal and other ramifications.

The NYDFS cybersecurity regulation, which came into effect in August 2017 and requires covered entities to submit certification documentation by February 15, set a 72-hour rule for reporting information breaches. Under the GDPR, any business worldwide that has EU residents’ personal information compromised is required to notify supervisory authorities within 72 hours of uncovering the breach.

As of yet, there is no requirement under the GDPR specifying when affected EU residents must be notified. The UK’s Information Commissioner’s Office (ICO) warns, “In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.”

Timeframe to report data breach varies based on sector and number of those affected

Different state regulations impose reporting timeframes that vary based on the number of individuals affected. Under the Health Insurance Portability and Accountability Act, for example, covered entities have 60 days to inform federal authorities and affected individuals when 500 or more individuals are involved. The Gramm–Leach–Bliley Act is vague in its timeframe enforcement – financial institutions must notify customers of a security breach “as soon as possible.”

The Securities and Exchange Commission (SEC) is also unclear in, saying that publicly traded US companies must deliver “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”

State laws are far from uniform on breach notification timeframes

Presently, there is no federal cybersecurity regulation covering the entire US that obligates organizations to alert the public of data breach alerts, and state law breach notification rules vary.

California was the first state to impose a breach notification law back in 2002. Companies that fall victim to cyber crime or a data breach must issue notifications when 500 or more California residents are affected, in as expedient a manner as possible.

New Mexico was the most recent state to issue a breach notification law. The state mandates that businesses have 45 days to issue notifications once a data breach is discovered, but only if 1,000 or more of the state’s residents are affected.

Notify the right parties to reduce damage and protect your company’s reputation

According to cybersecurity attorney Mark Rasch – who, in 1991, created the Computer Crime Unit at the US Department of Justice – optimal breach notification should be “not too soon, not too late.” His reasoning reflects the delicate nature of personal data when it comes to a data breach: “Too soon, you run the risk of inaccurate disclosure, and unnecessary panic. Too late, and the harm is already done.”

Rasch agrees with the ICO that organizations should tell cyber crime victims when there is something they can do to mitigate harm. Affected persons can:

  • Register for credit monitoring services
  • Freeze financial accounts
  • Be more vigilant in monitoring personal accounts for evidence of fraud

Notwithstanding requirements, organizations will sometimes notify authorities as soon as possible when there is evidence of a data breach. Doing so always looks good, because it shows you care about your customers’ privacy and ensures your organization is protected. Prompt notifications can also help remedy the situation if data breach details escalate.

However, if details worsen, or multiple breaches are involved, notifying the public of each step can lead to unnecessary ‘breach fatigue’. Fallout may occur, as consumers lose trust in an organization beset by confusion. It may also prevent state legislators from incentivizing on cybersecurity regulations, as they become the norm and are considered less urgent.

What is the appropriate amount of time for an organization to report a data breach?

According to databreachtoday.com, “it depends.” Organizations should have established information security management policies and processes well in advance of a data breach. Chris Pierson, Department of Homeland Security (DHS) cybersecurity CSO and general counsel for Viewpost, says 30 to 45 days is a suitable window.

Pierson says prematurely notifying the public can be bad for all concerned. An organization must have legal, security, and digital forensic teams in place to properly investigate breach implications. “It is much more advisable to report a breach when the facts are known, the affected population determined, and the full resources of the company and vendors is in place,” says Pierson. “Failing to allow for this time to report can cause greater harm and worry to customers as the facts will change from day 10 to day 30.”

Learn how to protect your organization from the damaging consequences of a data breach

With more regulations being passed in the US and internationally, it is more important than ever that organizations put in place effective cybersecurity measures. One way is to implement an information security management system (ISMS) that mitigates data breach risk. Gaining ISMS certification that is accredited by the International Organization for Standardization, such as ISO 27001, is an indicator that an organization has adequate data security controls in place.

IT Governance is a leader in cybersecurity compliance training, advisory, and information, with clients around the world. Its accredited, practitioner-led course will give you the knowledge and tools to lead an ISO 27001 ISMS implementation project. Learn how to comply with data security regulations, mitigate information security risks, and manage data breach events. Register for the ISO27001 Certified ISMS Lead Implementer Training Course.