[BreachExchange] Understanding GDPR’s Breach Disclosure Starts with Who Owns PII

Thu Mar 8 17:16:06 EST 2018

https://www.jdsupra.com/legalnews/understanding-gdpr-
s-breach-disclosure-17281/

In February, Congress held a hearing on data breach disclosure rules. For
two hours, members of the Subcommittee on Financial Institutions and
Consumer Credit wrestled with when companies should disclose a breach, what
they should disclose, and whether the United States should have one
standard for breach disclosure nationwide.

Don’t die of shock here, but the hearing didn’t result in much consensus.

On the contrary, debate among lawmakers and five panelists invited to speak
underlined the profoundly different approaches to personal data that are
emerging today — with corporate compliance officers, and the breach
response programs you oversee, caught in the middle.

On one side is what we could call the “pro-company” view. It’s better that
companies give consumers accurate information about a breach, this thinking
goes, so therefore companies should have an appropriate amount of time to
compile that analysis. Maybe it’s 72 hours, maybe one week; maybe the
company even determines this window for itself, based on the circumstances
at hand.

On the other side is the “pro-consumer” view. This group says it’s better
that companies give consumers immediate information about a breach, and
therefore regulators are well within rights to specify some fixed period of
time. One example would be the European Union’s General Data Protection
Regulation, and its requirement for disclosure of a breach within 72 hours
of a company discovering it.

That’s what questions about breach disclosure are all about, really. If
your answer to the above question is, “I own my PII, It’s about me!” then
naturally you want to know as soon as possible when your property is
damaged. For example, if a friend borrows your car and wrecks it, you want
to know immediately. You don’t care about giving the friend extra time to
compile an accident reconstruction analysis with local police.

If your answer is, “The company owns any PII it collects or that customers
voluntarily give to it,” then logically the company can take more time.
Yes, most companies will still strive to disclose information to aggrieved
consumers, but it’s a lesser duty of care since the data belongs to the
company.

Difference in Data Privacy between the EU & U.S.

Compliance officers at large organizations have no easy path forward here,
since powerful forces align with both camps. For example, the GDPR assumes
that personally identifiable information belongs to the person, and that
stance is rooted in deeply held cultural norms Europeans have about privacy.

The United States, meanwhile, has a much more mixed position, because we
have never answered the “Who owns PII?” question clearly and definitively.
Instead we have a hodgepodge of disclosure regulations that vary by state,
industry, and type of data. We also have a bad habit of deciding to
regulate after some big policy failure, rather than before it.

GDPR or Not, It’s Just Good Practice

On a practical level, ethics and compliance officers are well-served simply
to implement the GDPR’s standards in all their fine detail. First, if you
do business in Europe or handle data of EU citizens, you don’t have much
choice.

More broadly, the fundamentals of GDPR compliance — risk assessment, vendor
management, employee compliance training, escalation procedures after a
breach — are all going to help your organization anyway.

Think about it. If you could build a compliance program that delivered all
those privacy protections for “sensitive intellectual property” rather than
“personally identifiable information,” would your CEO and board be annoyed?
No. They’d love you for it.

The GDPR is setting a high standard for privacy and good data stewardship
that, eventually, all companies will need to achieve simply because of how
the modern IT environment is evolving. The GDPR might be ahead of the
strategic business imperative right now, but the imperative will catch up.

And lastly, the GDPR’s stance on PII seems to be on the right side of
history. Not long ago I spoke with a privacy lawyer and joked about the
potential for a California Data Protection Regulation. He chuckled, then
paused thoughtfully, and said, “Actually, that’s not funny.”

I’m not sure whether the spread of GDPR privacy expectations would be funny
or not. But compliance officers might want to err on the side of caution,
and assume it’s inevitable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180308/0621a714/attachment.html>