The number of data breaches that were tracked in the U.S. in 2017 totaled 1,579, a nearly 44.7 percent increase from the previous year. Data breaches, incidents in which personal information is accidentally or unlawfully stolen, lost, disclosed, accessed, altered or destroyed, can happen to organizations of any size and sector.
Most data breach laws deal with personal data, which is essentially any information that can be associated with a particular person. Other rules concern personally identifiable information, which is data that someone could use, alone or along with additional information, to trace or distinguish a person’s identity.
The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.
In general, you should report a personal data breach if it likely poses a risk to people and threatens their rights and freedoms. This is based on the General Data Protection Regulation (GDPR), which applies to any organization that handles the data of European Union citizens. An incident might threaten someone’s rights and freedoms if it may result in identity theft, identity fraud, financial loss, discrimination, damage to reputation, social disadvantage or loss of confidentiality.
International, federal and state laws vary in their requirements about when to report breaches. In the U.S., all 50 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws that require entities to notify people of breaches involving personally identifiable information.
Under the GDPR, an organization that experiences a personal data breach must notify the appropriate authorities within 72 hours of discovering it. Within that timeframe, data controllers are also required to conduct an investigation of the incident, identify the affected data, inform impacted individuals and create a plan for containing the breach. If the organization can’t complete these activities within 72 hours, it is expected to provide an explanation as to why.
Under the Health Insurance Portability and Accountability Act (HIPAA), entities affected by the law must inform authorities and the impacted individuals within 60 days, but only if 500 or more people are affected. Authorities for some other sectors, such as the Securities and Exchange Commission (SEC), don’t have specific timeframe requirements.
Requirements under state laws vary. In New Mexico, businesses have 45 days to issue a notification if the incident impacted 1,000 or more residents of the state. California requires companies to send out notifications if 500 or more residents are affected, but it doesn’t have a specific timeframe requirement.
Laws, of course, affect how soon companies must report cybersecurity incidents. They should also do their best to ensure they have as much accurate information as possible before sending out an alert to avoid miscommunications. If an organization waits too long, on the other hand, the damage may already be done. It’s important to strike a balance between these two extremes.
Who you should notify depends on the laws that apply to you, the industry you’re in and who was affected. In many cases, you must notify the supervising authorities. Under the GDPR, for example, you need to notify the Information Commissioner’s Office. If your organization is covered by the Health Breach Notification Rule, you must notify the U.S. Federal Trade Commission (FTC) and perhaps the media. If you are covered by the HIPAA Breach Notification Rule, you’ll need to inform the U.S. Health and Human Services department.
It is advisable to tell law enforcement about a breach as quickly as possible. You may call local police, but if they are not familiar with cybersecurity incidents, you can also call your local FBI office.
If you store information for other businesses, notify them. If information pertaining to a certain organization is stolen, contact that organization. For example, if an attack results in the theft of bank account numbers, notify the affected banks. If the breaches involve names and Social Security numbers, you may need to contact the major credit bureaus.
You may also need to contact the individuals who may be affected by the breach and inform them of what data was affected, what you’re doing to address the situation and what individuals can do to protect themselves.
Reporting breaches of personal data enables regulating authorities, law enforcement and individuals to take action to reduce the amount of damage that may occur. Some of these authorities may also be able to help you ensure your system is secure again and prevent further data loss.
The laws that affect your organization can vary depending on your location, industry and other factors. Consider these requirements as well as what is best for the individuals affected when deciding whether to report a breach.
Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re
(Security Affairs – Cybersecurity, data breach)