[BreachExchange] Failing to notify known data breach could lead to bigger fine, says expert

[Audrey McNeil]

http://www.out-law.com/en/articles/2016/november/
failing-to-notify-known-data-breach-could-lead-to-bigger-fine-says-expert/

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm
behind Out-Law.com, said businesses should adopt cyber incident response
plans that include procedures for reporting data breaches internally. She
said it is important that staff are made aware of the need to quickly
highlight cyber incidents to managers when they occur.

Wynn said that legal obligations to notify data breaches to regulators and
to make customers aware of such incidents only apply in some sectors such
as banking and telecoms. However, she said all organisations could find
themselves having to report data breaches under the EU General Data
Protection Regulation (GDPR) when it comes into force in 2018.

"At the moment many data breach incidents do not come to light as
organisations do not face a legal duty to report them," Wynn said.
"However, some data protection authorities have previously said that it
will count against businesses if they hear about data breaches second-hand,
such as through the media or from customer complaints. In addition,
businesses face significant reputational damage if the cases come into the
public domain and they have not been open about such incidents with
customers."

"Furthermore, data protection authorities are also likely to view dimly
businesses that take a long time to report data breaches to them and
customers, unless there is a very good reason for the delay," she said.
"This is particularly true if it transpires that the delay was because
employees, or worse still, senior executives, were aware of the data breach
at the time of the incident. Regulators could take such factors into the
level of fine they could choose to levy, which under the GDPR could be up
to 2% of a business' annual global turnover or €10 million, whichever is
greater, if the data breach notification rules are not adhered to."

Wynn said that it is to be hoped that data protection authorities will
issue guidance to help businesses meet their obligations on data breach
notification under the GDPR. The ICO has already published brief guidance
on the topic. Wynn said she hopes future guidance makes it clear to
businesses the various circumstances that will be considered to trigger the
notification requirements.

A recent information rights tribunal ruling in the UK relating to a major
data breach experienced by TalkTalk shows that the UK's Information
Commissioner's Office (ICO) will expect businesses to notify data breaches
in multiple steps, if necessary, to inform it of the nature of incidents,
beginning from the point at which they become aware of those breaches, Wynn
said. The tribunal said that a single customer complaint about a possible
data breach can serve as the trigger for notification and that the duty to
notify does not necessarily only kick in once internal investigations into
those cases are complete.

"That case should prompt businesses to establish internal procedures, as
part of broader cyber incident and data breach response plans, for
notifying data breaches," Wynn said.

Wynn's comments come as internet giant Yahoo made public further details of
the major data breach it reported earlier this year in a recent regulatory
filing to the US Securities and Exchange Commission (SEC).

In September, Yahoo announced that it believed the personal data of at
least 500 million Yahoo account holders was stolen in a "state-sponsored"
cyber attack. It reported the incident, believed to be the largest recorded
data breach in history, more than 18 months after the breach occurred.

In its recent SEC filing, Yahoo revealed that it is looking into whether
some employees knew about the cyber attack at the time it took place.

Yahoo said: "The company had identified that a state-sponsored actor had
access to the company’s network in late 2014. An independent committee of
the board, advised by independent counsel and a forensic expert, is
investigating, among other things, the scope of knowledge within the
company in 2014 and thereafter regarding this access, the security
incident, the extent to which certain users’ account information had been
accessed, the company’s security measures, and related incidents and
issues."

"In addition, the forensic experts are currently investigating certain
evidence and activity that indicates an intruder, believed to be the same
state-sponsored actor responsible for the security incident, created
cookies that could have enabled such intruder to bypass the need for a
password to access certain users’ accounts or account information," it said.

Yahoo also said it "does not have cybersecurity liability insurance".

A committee of European data protection authorities recently wrote to Yahoo
asking the company to disclose more details of its data breach to them and
to cooperate with their inquiries into the incident.

US telecoms company Verizon agreed a $4.8 billion deal to acquire Yahoo
earlier this year. In October Verizon asked Yahoo to disclose the full
impact of the cyber attack on the business. Verizon is reportedly looking
into whether the data breach incident justifies a possible reduction in
price it has agreed to pay to acquire Yahoo, according to the Financial
Times.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161110/29cbc902/attachment.html>