Sensitive information found its way into cybercriminals’ hands in more than two dozen major security breaches in 2017, and the rising frequency of cyberattacks is driving a shift in thinking about data breach reporting.
In the statutes that determine how quickly the public must learn of a breach, states generally have required notice “without unreasonable delay.” That standard permits time for companies and government agencies who experience data loss to research the scope of the breach and how it happened, preserve evidence and discover information that will help prevent future incidents.
But as breaches have become almost commonplace, some state legislatures are beginning to shorten the time frames in which breaches must be reported. Several states, including New Mexico and Ohio, now require disclosure no later than 45 days after a breach is discovered. Florida allows just 30.
Most states enforce the reporting deadlines by assessing civil penalties for failure to provide information within the mandated time frame. Fines can run into the tens or hundreds of thousands of dollars. Florida requires a fine of up to $500,000 if notice is not given within 180 days of the event. In Michigan, the penalty can run up to $750,000.
Biometric data theft
Shorter notification deadlines are not the only changes some states have mandated.
States traditionally have required citizens to be notified if their personally identifiable information (PII) — including driver’s license, credit card or Social Security numbers — has been compromised. As biometric technology use becomes more common to allow employees to clock in at work or access financial accounts, companies and government will increasingly collect and store eye and facial scans, fingerprints and other personal biometric data, as well.
Because what is stored can be stolen, several legislatures have added biometric data theft to their breach reporting statutes. Most recently, Delaware passed an amendment, taking effect in April 2018, that includes “unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes” in its data security breach statute.
Responding to a changing landscape
When a breach occurs, condensing the time by which a report must be made is at odds with the need to complete a forensic investigation, which may take several months, depending on the scope of the breach. Adhering to a short disclosure window may mean going public with incomplete information that later could prove inaccurate, a situation that ultimately may cause more harm than good.
Security leaders are between a bit of a rock and a hard place, but they can take these steps to respond to the shifting data breach notification landscape:
- Develop a data classification policy that organizes the information you collect by the impact to your constituents if its confidentiality were to be compromised. Review your policy and inventory your data at least annually, making changes as needed.
- Collect and store only the information you need to do business. If you have regularly collected PII, look for alternative ways to identify those you serve.
- Review your state’s reporting requirements. If citizens from other states do business with you, recognize that you must adhere to those states’ stipulations, as well. Make sure you understand what is expected if a breach occurs.
- Create an incident response plan that allows you to report within the relevant time allotment. Among other components, your plan should include internal and external contacts, a protocol for reaching each one and templates and methodologies for reporting the breach to various stakeholders. Test and update your plan annually.
- If a breach occurs and you are required to disclose it before a forensic investigation is complete, be clear about where the process stands. Help constituents understand that the early reporting is incomplete and more information will be disseminated as it becomes available.
Cyber theft will continue to be a major concern for business and government in the year ahead. While virtually all government agencies have data security measures in place, breaches happen. Changing disclosure obligations make it more critical than ever that agencies be prepared to respond if they are affected.