A data breach of sensitive customer information can be a complicated and critical issue for companies. Preventing data breaches is important, however, having a comprehensive data breach response plan—especially for breaches that involve highly-protected sensitive data—should be a priority for your organization as well.
Without a data breach response plan, organizations are left scrambling and often solely focus on remedying the situation. While preventing any further data loss and fixing the vulnerability is a top priority, there are other steps in the process that also take precedence. One of those steps is data breach notification, which is required by data privacy compliance laws on the state level. The consequences of not reporting a data breach can be significant. Read on to learn how you can avoid penalties, reputational risks, and more.
Are companies legally required to report all data breaches?
Currently, there aren’t any federal laws in the U.S. that govern data breach notification. There are, however, state laws that dictate when and how data breaches need to be handled.
Factors such as the size of the breach, who the breach affected, and the sensitivity of the data compromised, will influence whether a business needs to provide data breach notification. A breach that involves 50 customers’ information is going to be treated much differently than a breach that involves sensitive data of 50,000 customers. Generally, data breaches that involve sensitive information are treated much more seriously and will require some form of reporting or notification.
State data breach notification laws
All 50 U.S. states have some form of data breach notification law. The requirements, such as how soon you need to report a data breach and to whom, vary from state to state. California, Delaware, and Illinois, in particular, are known for having strict notification laws in cases where customers’ personally identifiable information (PII) is compromised.
Each state will have its own parameters as to what constitutes timely breach notification, how that notification can be delivered (email, phone, prominent advertising, etc.), and what type of information needs to be included in the notice. This might include detailing the nature of the breach, the likely consequences of the breach, and other details.
To get familiar with the specific requirements for each state, you review the breach notification chart provided by the National Conference of State Legislatures. It’s always best to seek advice from trusted legal counsel, especially as your organization creates or updates your data breach response plan.
GDPR data breach notification requirements
If your organization experiences a data breach that affects customers based in the EU, then GDPR breach notification laws apply to you. According to the GDPR, an organization must report a data breach that involves personal data to a supervisory authority without undue delay and within 72 hours of becoming aware of the breach. Personal data, according to the GDPR, is any information that relates to or can be used to identify a person. This data can be as simple as a name and address.
Organizations must also notify data subjects of the breach without undue delay when the incident is likely to result in a high risk to the rights and freedoms of the persons affected. The method of notification can include direct messaging (such as email or SMS), prominent website banners, mailed letters, and prominent advertisements in print media. The notice must include, in clear and plain language:
- The nature of the data breach
- The likely consequences of the data breach
- The measures taken or proposed to be taken to address the breach
- Measures that may be taken to mitigate the breach’s possible adverse effects
- Contact information of the data protection officer, or other point of contact, who can be reached for more information
What are the consequences for not reporting a data breach?
When an incident like a data breach occurs, notification can seem counterintuitive. Organizations want to minimize the damage done, not publicize the issue. But, trying to fly under the radar can lead to negative consequences that only worsen the situation.
Specific penalty amounts for not reporting a data breach will vary by state and by your breach’s specific circumstances. Depending on the nature of the breach, the fines and penalties can quickly stack up.
In 2016, Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, Uber tried to pay the perpetrator to keep quiet. When this breach was ultimately brought to light in 2018, Uber was fined $148 million for violating state data breach notification laws.
In 2019, Touchstone Medical Imaging, based in Tennessee, was fined $3 million in a case where over 300,000 patients’ protected health information was breached. The company was found to have provided untimely notification to patients affected by the breach and did not conduct a thorough analysis of potential risks.
Negative public perception
On top of the legal and financial consequences businesses may face due to untimely breach notification, they could face reputational scrutiny. When an organization clearly communicates what happened and the actions being made to rectify the situation, they can regain control of an unfortunate incident. The public sees that the organization cares and takes their customers’ privacy seriously.
However, by not being transparent, you breach the trust you once had with your customers. Organizations risk losing customers and may struggle to rebuild their trust.
Data breach notification laws: what to expect
Although there aren’t any federal laws that govern data breach notification, that could change in the near future. Consumers are becoming more aware of data privacy and their rights—especially with the recent passing of CPRA, which builds on the consumer data privacy protections enforced by the CCPA.
With all of the recent updates to data privacy in California, it’s not a far stretch to predict that other states may follow suit and/or federal legislation proposed. Regardless of what’s to come, state laws are tightening up and enforcing penalties for data breach notification non-compliance.
How to avoid data breach notification penalties
When notification is necessary, most state laws dictate that organizations need to move quickly and without undue delay. It’s not uncommon to see a state require notification within 24 to 72 hours of becoming aware of the breach. Building out your data breach response plan, and execution of the plan, is critical.
On the execution side, consider the following questions:
- Can we quickly pull real-time reports for leadership to assess if a data breach were to occur?
- Can we easily find all data matched to the persons affected by the breach?
- Can we quickly run automated remediation workflows to help prevent further data loss?
- Can we match all identities and data to the appropriate regulatory categories to meet notification requirements?
A data privacy management tool can make it easier for security teams to move quickly when it comes to data breach response and notification. The Spirion Sensitive Data Platform is built with identity-centric data discovery, automated workflow control for remediation, high-powered analytics and data visualization for reporting, and cross-system support to make data breach response easier. To see our solution in action, watch a free demo here.