Towards a Standardised Set of Breach Notification Rules

data breach

Written by Boris Cipot, senior security engineer at Synopsys.

Across January and February 2020, IT governance has estimated that over 2.1 billion records have suffered a breach, or 1.5 billion and 623 million records respectively. If we supposed that each record belonged to a different individual, that means almost 28% of the global population have had their data compromised in two months alone. Fortunately, instigated by California’s data breach notification law in 2003, at least 90 countries around the world have begun implementing a variation of data protection laws to defend the public from such instances. Granted, some are more robust than others. Two regions with the most comprehensive measures in place include the United States as well as the European Union, with the General Data Protection Regulation, or GDPR, that became directly applicable law in all Member States from 2018. 

It is upon the premise of these laws that the class action lawsuit against Zynga was able to be filed. In this particular case, Zynga, a mobile gaming company, experienced a data breach that affected at least 173 million people. The class action lawsuit claimed that the company had not informed the public in a timely nor informative manner in order for precautionary steps to be taken, particularly as a significant proportion of those affected were minors. Indeed, little information was given regarding what data, precisely, had been accessed, and the notice was not officially emailed to affected individuals. 

In general, most data protection laws require organisations to alert any and all affected parties, whether customers or partners, of a breach upon learning about it. In other words, most laws include ‘breach notification rules’. It is through these rules that organisations are given an outline of the necessary actions they need to undertake, clarifying the form of the notification, who exactly should be informed, and the time limit. Notification requirements may also be conditional to the severity of the data breach. In the event that the name or email address of individuals are revealed, a simple email notification might suffice. However, where more sensitive information such as usernames, passwords, credit card or social security numbers is exposed, organisations should also provide customers with proper guidance to mitigate any further issues on their end. Moreover, should there be a breach of a critical infrastructure provider, stricter measures and protocols would need to be applied as the consequences of not doing so could be catastrophic. For such providers, not only would all hands need to be on deck to remediate the problem, but external experts may need to step in. 

Nevertheless, these laws do differ slightly depending on the country or state’s security standards and best practices. For example, the GDPR states that a personal data breach should be notified by the controller to its supervisory authority within 72 hours of being aware of it. If the breach will likely pose a high risk to individuals involved, then the organisation is also obligated to inform them about what has happened and the steps they have, or are taking, to contain the matter. In contrast, the Health Insurance Portability and Accountability Act (HIPAA) requires affected parties in the US to be notified of a breach within 60 days. If the breach affects more than 500 individuals of a certain jurisdiction, only then is it compulsory for the notification be communicated through prominent media outlets. 

It is important to note here, however, that while it is vital that organisations share any instances of a breach, revealing too much information could be perilous. In doing so, one may inadvertently expose additional entry points for an attack or inspire cybercriminals to target other organisations with the same issues. Rather, breached organisations should collaborate with the manufacturer responsible for the vulnerable equipment in an effort to resolve the problem. After gaining a better understanding of the issue as well as finding a solution, such as a security patch, then the organisation and partner manufacturer can disclose the information in detail. 

Unfortunately, looking back at the lawsuit case against Zynga, this example also shows that despite having laws to protect us, there continue to be organisations who have neglected to prepare and comply with regulations for if, but most likely, when, they face a breach. According to a report conducted by the Ponemon Institute, ‘Keeping Pace in the GDPR Race’, only 18% of organisations are highly confident in their ability to communicate a data breach to relevant regulators within 72 hours. In a globalised world where business is often conducted across borders, this unpreparedness among organisations could arguably come down to the lack of ‘standardised’ rules. Data protection laws are complicated as they are but having to readjust a company’s contingency plans according to the many configurations they may take across jurisdictions, makes it even harder to keep up. Just looking at GDPR alone, nearly half (49%) of Chinese respondents and more than a third (36%) of Japanese respondents continue to be unfamiliar with its regulations. 

A standardisation of rules in this area could help to bring more structure when managing mandatory public disclosure. If breach notification rules existed in an internationally accepted format, and all organisations played by these same rules, then they would function more efficiently. There would be a set procedure defining what needs to happen, when it has to happen, to whom the information needs to be addressed, as well as what the receiving party is expected to do with the provided information. In this way, there would also be an audit trail and with this, transparency about the process. 

 


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/