Most countries today have stringent laws governing data breach notifications. These laws mandate government, private organizations and individuals who conduct business in any form to disclose any breach of private, confidential customer information by unauthorized third parties.
The penalties for failure to disclose such breaches may be huge. A few years back in the United States, the Federal Communications Commission (FCC) imposed a penalty of close to $10 million against two telecom businesses for holding personally identifiable customer information without adequate security measures. In Australia, the Mandatory Data Breach Notification (MDBN) law stipulates a fine of up to AU$1.8 million on organizations and up to AU$260,000 on individuals who fail to notify customers in case of data breach. For what it’s worth, Australia sees one of the highest number of data breaches in all of APAC.
As a CIO, the bucks stops with you for matters pertaining to data breaches and compliance towards subsequent notifications. While protecting your customers from a breach is definitely high priority, it is equally important to establish measures to make sure your organization is actively aware of potential breaches. An incognizance on breach may not be easily defensible in courts.
Data breach cases
Data breach does not always happen through unauthorized third-party hacks. It is a lot more probable for data to be potentially breached through carelessness on the part of the organizations or individuals. There are dozens of everyday instances that could lead to serious data breaches. An employee’s mobile phone, for instance, could be linked to your organization’s CRM containing all your customer records. If this device is not secured with a password, then you make it easy for the perpetrator in case of a data theft. In addition to making sure that the device is not accessible, it is also important for your organization to be able to remotely wipe this data clean. Your organization could otherwise be setting itself up for a potential data breach.
Similarly, a contractor working on your organization’s database could store a copy of your customer records on their laptop. If this laptop gets stolen, then your organization is liable for data breach. It doesn’t matter if you have an indemnification clause in your contract. The customer records that got breached are still yours and you are responsible for its security. There are hundreds of such everyday instances where your organization could be potentially giving away customer records to unauthorized third parties.
Weighing the costs
As an organization, you may be tempted to hide suspected data breaches. This is especially true for minor breaches like the loss of a phone or the theft of a laptop. But as past instances show, this may not be a good idea from a legal or PR perspective. The data breach notification laws usually provide a time period, of up to 30 days, to assess the potential impact of a breach. This can include assessing the:
- Extent of the data breach
- The kind of data that got breached (phone numbers, social security numbers, etc.)
- Impact on one or more individuals/customers
- Ability of your organization to have prevented risks through remedial actions
Do, however, note that the time you have to assess impact depends on the jurisdiction of your customers, not necessarily on where your organization is based. If you have customers in the European Union, then the latest GDPR regulations (that goes into effect later this year) offer a mere 72 hours for this assessment.
Most data breach notification laws only emphasize on ‘major incidents’ and it is the job of your organization to assess whether any new incident is major or minor. Typically, a breach is considered minor if it does not pose a risk to the rights and freedoms of natural living persons. For instance, if the only thing a data breach reveals is that the average income of all your thousands of customers is $60,000, then this does not directly pose a risk to an individual. Such a breach may be deemed minor. It is worth pointing out that this is not legal advice and it is important for a CIO to consult a lawyer to interpret the regulations in your jurisdiction.
Executing a breach notification
You may not have to send out a breach notification if remedial actions have been taken to contain the breach (like automatically changing the password of your users). But if you have been unable to contain the breach from your end, it is important to draft a notification that is exhaustive in the way it covers all aspects of the breach. For instance, if there has been an unauthorized access to customer passwords, it is important to remind your customers that this breach could also potentially harm their financial data or health records, as the case may be. Covering the extent of damage in your notification may not necessarily be a legal requirement. But it surely is ideal to ensure that your customer sees the least damage due to the breach.
It is a good idea to conduct periodic security audit in your organization to not only assess potential weak spots, but also to prepare a roadmap for the necessary notifications.