Data Breach Notifications: What's Optimal Timing?Answer: It Depends
Question: How quickly do organizations have to notify oversight agencies or affected consumers after they suffer a data breach?
Answer: It depends.
"Not too soon, not too late."
Under Europe's new General Data Protection Regulation, for example, any organization worldwide that suffers a breach that exposes Europeans' personal information must notify their "relevant supervisory authority" within 72 hours of discovering the breach, according to Britain's privacy watchdog, the Information Commissioner's Office. Failure to comply puts organizations at risk of being hit with massive fines.
"In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place," the ICO says.
But it's important to note that the notification deadline in the GDPR rules - now in effect, but not due to be enforced until May 2018 - relates to informing authorities. No rules, at least yet, specify how quickly affected Europeans must be notified.
In the United States, the Health Insurance Portability and Accountability Act requires covered entities to notify federal authorities and affected individuals within 60 days of discovering a breach that affects 500 or more individuals. By contrast, the banking sector's Gramm-Leach-Bliley Act requires financial firms to notify customers of a security incident "as soon as possible."
The Securities and Exchange Commission, meanwhile, says publicly traded U.S. companies must provide "timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision," including any breaches the company suffers.
State laws vary widely on breach notification. For example, New Mexico, the most recent state to pass a breach-notification law, will require organizations to issue notifications within 45 days of discovering a breach, if 1,000 or more of the state's residents are affected. In California - the first state to pass a breach-notification law back in 2002 - notifications must be issued for breaches that affect 500 or more state residents.
"In the case of California, the standard is to disclosure 'in the most expedient time possible and without unreasonable delay,'" Eva Casey Velasquez, president and CEO of Identity Theft Resource Center, a not-for-profit organization that assists data breach victims, tells me. "There is also language that speaks to the need for law enforcement to determine that the notification will not compromise an investigation."
Despite repeated attempts, Congress has yet to pass a federal breach notification law that could supplant the 48 state laws now in place.
Notification Timeframe: What's Ideal
Notwithstanding regulations and contractual obligations, optimal breach notification timing should be "not too soon, not too late," says cybersecurity attorney Mark Rasch, who in 1991 created the Computer Crime Unit at the U.S. Department of Justice.
"Too soon, you run the risk of inaccurate disclosure, and unnecessary panic. Too late, and the harm is already done," he says. "You disclose because there's something the victim can - and should - do to mitigate the harm." For example, in the United States that might include freezing one's credit reports, in the event that personally identifiable information has been exposed that could be used by identity thieves. Or the warning could give potentially affected consumers a heads-up to keep a close watch for fraud via their credit card statements.
Aim for 30 to 45 Days
Ideally, organizations will have planned well in advance for the moment they learn they've been breached. "All companies should have a data breach response program in place, practice it yearly, and be able to respond in around 30 to 45 days from discovering an issue or incident," says Chris Pierson, the CSO and general counsel for financial technology payment firm Viewpost.
He warns that rushing can be bad for all concerned, since an organization's legal and security teams need digital forensic investigators to specify to them who the breach affected and what was stolen before they can craft accurate notifications, enroll victims in identity theft monitoring, and so on.
"It is much more advisable to report a breach when the facts are known, the affected population determined, and the full resources of the company and vendors is in place," says Pierson, who also advises the Department of Homeland Security on data privacy and cybersecurity matters. "Failing to allow for this time to report can cause greater harm and worry to customers as the facts will change from day 10 to day 30."
Indeed, as breach investigations proceed - for example in the massive 2013 Target breach - investigators often find that the breach is much worse than they may have first suspected. Arguably, issuing changing and overlapping breach notifications leads to unnecessary "breach fatigue" for victims. "That only further confuses and complicates things for consumers, and it erodes trust for the business," ITRC's Velasquez says. "No one is better off in that scenario."
Good Move: Alert Authorities
Already, many organizations quickly alert authorities when they suspect that they've suffered a breach, even if not required to do so. And here's a hint: Doing so always looks good.
Cloud services firm Coupa, for example, suffered a breach on March 6 and notified victims in a letter dated March 15. In the letter, Coupa said that after detecting that it had fallen victim to the phishing scam, "we immediately contacted the Internet Crime Complaint Center [IC3], operated by the Federal Bureau of Investigation, and alerted the IRS of this scam" (see Silicon Valley Firm Coupa Hit by W-2 Fraudsters).
Many breached U.S. organizations find out they've been hacked thanks to a third party - often the FBI, who may discover the hack during its own investigations, or receive a related tipoff from private sector investigators.
According the 2017 M-Trends report from FireEye's Mandiant, 47 percent of breached organizations that the firm worked with last year learned they were breached thanks to being notified by an external party. On average, externally found breaches went undetected for 107 days, compared with 80 days for a breach that the organization discovered itself.
Once the breach gets discovered, organizations can begin investigating the intrusion, gain an accurate understanding of what happened, and finally alert any victims as to what happened and what they should do to protect themselves. "It's as important to get it right as it is to get it fast," Rasch says.