[BreachExchange] How to be compliant with data breach notification laws
audrey at riskbasedsecurity.com
Thu Feb 15 18:50:47 EST 2018
Most countries today have stringent laws governing data breach
notifications. These laws mandate government, private organizations and
individuals who conduct business in any form to disclose any breach of
private, confidential customer information by unauthorized third parties.
The penalties for failure to disclose such breaches may be huge. A few
years back in the United States, the Federal Communications Commission
(FCC) imposed a penalty of close to $10 million against two telecom
businesses for holding personally identifiable customer information without
adequate security measures. In Australia, the Mandatory Data Breach
Notification (MDBN) law stipulates a fine of up to AU$1.8 million on
organizations and up to AU$260,000 on individuals who fail to notify
customers in case of data breach. For what it’s worth, Australia sees one
of the highest number of data breaches in all of APAC.
As a CIO, the bucks stops with you for matters pertaining to data breaches
and compliance towards subsequent notifications. While protecting your
customers from a breach is definitely high priority, it is equally
important to establish measures to make sure your organization is actively
aware of potential breaches. An incognizance on breach may not be easily
defensible in courts.
Data breach cases
Data breach does not always happen through unauthorized third-party hacks.
It is a lot more probable for data to be potentially breached through
carelessness on the part of the organizations or individuals. There are
dozens of everyday instances that could lead to serious data breaches. An
employee’s mobile phone, for instance, could be linked to your
organization’s CRM containing all your customer records. If this device is
not secured with a password, then you make it easy for the perpetrator in
case of a data theft. In addition to making sure that the device is not
accessible, it is also important for your organization to be able to
remotely wipe this data clean. Your organization could otherwise be setting
itself up for a potential data breach.
Similarly, a contractor working on your organization’s database could store
a copy of your customer records on their laptop. If this laptop gets
stolen, then your organization is liable for data breach. It doesn’t matter
if you have an indemnification clause in your contract. The customer
records that got breached are still yours and you are responsible for its
security. There are hundreds of such everyday instances where your
organization could be potentially giving away customer records to
unauthorized third parties.
Weighing the costs
As an organization, you may be tempted to hide suspected data breaches.
This is especially true for minor breaches like the loss of a phone or the
theft of a laptop. But as past instances show, this may not be a good idea
from a legal or PR perspective. The data breach notification laws usually
provide a time period, of up to 30 days, to assess the potential impact of
a breach. This can include assessing the:
- Extent of the data breach
- The kind of data that got breached (phone numbers, social security
- Impact on one or more individuals/customers
- Ability of your organization to have prevented risks through remedial
Do, however, note that the time you have to assess impact depends on the
jurisdiction of your customers, not necessarily on where your organization
is based. If you have customers in the European Union, then the latest GDPR
regulations (that goes into effect later this year) offer a mere 72 hours
for this assessment.
Most data breach notification laws only emphasize on ‘major incidents’ and
it is the job of your organization to assess whether any new incident is
major or minor. Typically, a breach is considered minor if it does not pose
a risk to the rights and freedoms of natural living persons. For instance,
if the only thing a data breach reveals is that the average income of all
your thousands of customers is $60,000, then this does not directly pose a
risk to an individual. Such a breach may be deemed minor. It is worth
pointing out that this is not legal advice and it is important for a CIO to
consult a lawyer to interpret the regulations in your jurisdiction.
Executing a breach notification
You may not have to send out a breach notification if remedial actions have
been taken to contain the breach (like automatically changing the password
of your users). But if you have been unable to contain the breach from your
end, it is important to draft a notification that is exhaustive in the way
it covers all aspects of the breach. For instance, if there has been an
unauthorized access to customer passwords, it is important to remind your
customers that this breach could also potentially harm their financial data
or health records, as the case may be. Covering the extent of damage in
your notification may not necessarily be a legal requirement. But it surely
is ideal to ensure that your customer sees the least damage due to the
It is a good idea to conduct periodic security audit in your organization
to not only assess potential weak spots, but also to prepare a roadmap for
the necessary notifications.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the BreachExchange