We hear this time and time again—another organization has experienced a data breach and did NOT report it or failed to do so in a timely manner. One thing we’re all taught early on in life is to learn from your mistakes, or maybe even others’s mistakes. Here is one important lesson we should all learn. Forty-eight U.S. states require companies to notify the public of a breach of unencrypted data, some within specific time frames (45 days in Washington State, for instance).
Companies operating in Europe will have to give notice within 72 hours of a breach of personal data, starting May 2018, under the new General Data Protection Regulation (GDPR). Some regulated U.S. industries, such as health and finance, also have to report breaches to their regulators. For instance, new regulations from the New York Department of Financial Services say “A Covered Entity must give notice to the Department of any Cybersecurity Event, which includes many Cybersecurity Events that involve consumer harm, whether actual or potential.” The new regulations also require financial companies to report certain data breaches within 72 hours.
Although not required, any attacks, even unsuccessful attacks, that raise a concern, should be promptly reported by the organization to regulators, law enforcement and the affected public. For example, Disqus, a worldwide blog commenting hosting service, took approximately 23 hours and 42 minutes to notify customers and reset passwords for compromised accounts. This breach possibly was not big in media because it was handled well. Another great example is Kickstarter back in 2014. They notified their customers within 3 days, which allowed the company enough time to investigate internally and notify customers and regulators. On the downside, Uber concealed a data breach for over a year, finally revealing it in late 2017—and as a result faces a crowd of lawsuits and investigations.
Equifax is in similar hot water for waiting more than a month to announce the massive attack on its data in 2017. Initial response does not need to entail all of the details, because most likely the organization will not have all of the answers at this point. Organizations should focus on notifying the needed parties and informing them on how they can react – reset passwords, sign-up for credit monitoring, etc. Seventy-two hours can seem like a quick turnaround, but the clock starts the time you find out you were breached, whether it was noticed internally or you were told by law enforcement; 72 hours would also be a timely manner for most regulators. Whether you are reporting the incident to your regulators or your customers make sure to check off all of the boxes to help your organization manage the fallout. As breaches become more prevalent, it’s not about will you get breached, it’s WHEN will you be breached. Get your company ready for for the unknown by assessing the financial impact of a breach like this, today with RiskLens. 