[BreachExchange] Are organizations compliant with data breach notification timeframes?

Destry Winant destry at riskbasedsecurity.com
Thu Nov 29 08:29:27 EST 2018


https://iapp.org/news/a/are-organizations-compliant-with-data-breach-notification-timeframes/

In my conversations with fellow privacy professionals, one of the most
common challenges I hear repeated — across industry, across roles, and
across organization sizes — is keeping up with ever-changing data
breach notification regulations. In 2018, we saw the much anticipated
effective date for GDPR. Canada had the new mandatory breach
notification and record-keeping requirements under PIPEDA go into
effect. In the states, 10 bills that impact data breach notification
obligations went into effect, and all 50 states now have their own
breach notification regulation, each different from the next.

Clearly, given the legislative landscape, data breach notification
requirements are growing and trending towards increasing stringency
and complexity. But do increasingly rigorous regulations have a real
impact on breach notification outcomes? This question is how we
arrived at the topic of this month’s benchmarking article, in which we
will explore compliance outcomes and the influence of increasingly
specific U.S. state-mandated notification timelines.

Notification timeframes and the efficacy of increasingly specific data
breach notification regulations

Historically in the U.S., a majority of state breach notification laws
have ambiguous timeframes in which a breach of personal information
requires notification to impacted individuals. It’s not uncommon to
see definitions such as “in the most expeditious time possible,
without unreasonable delay.” Unless an organization establishes its
own notification policy, this ambiguity can lead to inconsistent
notice timelines across incidents and jurisdictions.

Increasingly, states are replacing this ambiguous language with  more
specific notification timelines or outside limits by which time an
impacted individual must be notified, specifying the number of days an
organization may have to provide notification to individuals in order
to remain compliant with the state’s breach notification law. 2018
alone saw eight states change their notification timelines, defining
that organizations have:

60 days to notify individuals (South Dakota, Delaware, Louisiana).
45 days to notify individuals (Alabama, Arizona, Oregon, Maryland).
30 days to notify individuals (Colorado).

Digging into the aggregated metadata of data privacy incidents, we
compared notification compliance within organizations that provided
notice to individuals in states with ambiguous language against states
with specific notice timeframes in order to answer the question: when
a state regulation sets an explicit timeframe, do we see organizations
typically providing notice faster or slower than they may otherwise
under ambiguous timeframes?

The results, according to our analysis? For the most part,
organizations provided notification to individuals within about the
same time frames, regardless of whether or not the regulation had an
explicit requirement in terms of the number of days to notify.

A few things to note about these findings:

When we begin looking at the data, the majority of companies sampled
provided notification in a consistent timeframe across ambiguously
defined and specifically defined state data breach notification
timeframes, meaning they were responding at about the same rate.
Eleven percent of organizations notified impacted individuals more
slowly when the notice time frame was ambiguously defined. Most
organizations prioritize compliance with breach notification law of
states that have a specified notification deadline over those that do
not.
Interestingly, 16 percent of organizations notified impacted
individuals in jurisdictions with ambiguously defined timeframes more
quickly than they did in jurisdictions with explicitly state-defined
timeframes, and here’s where we see the influence of privacy policies
even when regulations may have ambiguous or undefined timeframes. Some
organizations that have set internal policies may apply a shorter
timeframe to provide notification across all jurisdictions,
essentially expediting the notification process in some states.

Why is this information important for privacy professionals?

The influence of regulatory requirements on how a privacy team is able
to demonstrate  compliance is an interesting area for exploration,
because in this case it illuminates the value of strong privacy
policies and consistency in incident response. The aggregated incident
metadata represents best practices of organizations that use Radar for
consistency and automation in their incident response process,
operationalizing their privacy program to be highly data driven. In
that sense, this data demonstrates that organizations can ensure data
breach compliance across jurisdictions, meeting or exceeding
notification deadlines through automation and best practices.

Another important item of note: While notification timeframes in the
U.S. are generally defined by months, in a post-GDPR world, we’ve all
become acutely aware of the 72-hour timeframe in which you must
provide notification to supervisory authorities. Contractual
obligations to provide notification are similar, in that the
notification timeframe may be defined in hours rather than days. Your
regulatory burdens require knowing the difference, being able to
quickly identify these differences, prioritize the most urgent and
timely tasks, and document your decisions.

Finally, I think every privacy professional is well aware that data
breach notification regulations are rapidly changing, and remaining
informed of these regulatory changes in the U.S. and beyond is
critical to ensuring compliance. As regulations continue to condense
the timeframe between the discovery of a breach and required
notification to affected individuals, it’s increasingly critical that
policies, processes and operational systems are in place to quickly
escalate discovery of suspected privacy incidents, perform consistent
and efficient multi-factor incident risk assessment, determine whether
notification is required and streamline the overall incident response
lifecycle.


More information about the BreachExchange mailing list