GDPR Compliance: 72 Hour Data Breach Notification Rule Is Good Idea
The EU’s General Data Protection Regulation (GDPR) will force many changes in technology and processes when it comes into effect in May 2018. We have heard extensively about how companies and other organizations will have to provide capabilities to:
- Collect explicit consent for the use of PII per purpose
- Allow users to revoke previously given consent
- Allow users to export their data
- Comply with users’ requests to delete the data you are storing about them
- Provide an audit trail of consent actions
Software vendors are preparing, particularly those providing solutions for IAM, CIAM, ERP, CRM, PoS, etc., by building in these features if not currently available. These are necessary precursors for GDPR compliance. However, end user organizations have other steps to take, and they should begin now.
GDPR mandates that, 72 hours after discovering a data breach, the responsible custodian, in many cases it will be the organization’s Data Protection Officer (DPO), must notify the Supervisory Authority (SA). If EU persons’ data is found to have been exfiltrated, those users should also be notified. Organizations must begin preparing now how to execute notifications: define responsible personnel, draft the notifications, and plan for remediation.
Consider some recent estimated notification intervals for major data breaches in the US:
- Equifax: 6 weeks to up to 4-5 months
- Deloitte: perhaps 6 months
- SEC: up to 1 year
- Yahoo: the latest revelations after the Verizon acquisition indicate up to 4 years for complete disclosure
The reasons data custodians need to be quick about breach notifications are very clear and very simple:
- The sooner victims are notified, the sooner they can begin to remediate risks. For example, Deloitte’s customers could have begun to assess which of their intellectual property assets were at risk and how to respond earlier.
- Other affected entities can begin to react. In the SEC case, the malefactors had plenty of time to misuse the information and manipulate stock prices and markets.
- Cleanup costs will be lower for the data custodian. Selling stocks after breaches are discovered but prior to notification may be illegal in many jurisdictions.
- It will be better for the data custodian’s reputation in the long run if they quickly disclose and fix the problems. The erosion of Yahoo’s share price prior to purchase is clear evidence here.
Understandably, executives can be reticent in these matters. But delays give the impression of apathy, incompetence, and even malicious intent on the part of executives by attempting to hide or cover up such events. Though GDPR is an EU regulation, it directly applies to other companies and organizations who host data on EU member nations’ citizens. Even for those organizations not subject to GDPR, fast notification of data breaches is highly recommended.