Data Breach Notifications: Are businesses and consumers ready for the impact
As the title suggests, there are two communities who will very soon be forced to come to terms with data breach notifications as these are required by the EU GDPR that comes into force in May 2018.
These communities are:
- Businesses that will have to lodge data breach notifications when they occur; and
- Customers, users, subscribers or members of the public who will be affected by them.
The other party involved, the regulator or authority (in the UK this is the ICO), we will leave out of this post – if they aren’t ready for GDPR and the burden of data breach notifications when the new regulations come into effect in 2018 there will be very different problems to face up to.
Data Breach Notifications: The key things you should be aware of
The first area of challenge is detecting breaches that do occur – this sounds obvious; but the reality is that in lots and lots of cases one of two things happens:
- The breach is revealed by it being made public or being noticed by a researcher/journalist/intelligence agency, by the data being posted or through its effects (i.e. third party fraud)
- The breach isn’t detected for ages (for example years) until the company finally notices and then, often rather sheepishly, owns up to it (often by being forced to).
Under GDPR it is pretty clear that with the mandated data breach notifications to regulators it is going to be more important to detect breaches much more quickly (to avoid seeming lax at detection) and being the first one to notice (on the basis that if someone else has to tell you, then you might also seem lax at detection).
Not all breaches have to be notified to the authority so in the very first instance you need to be able to ascertain if what you are looking at is minor or more serious, in which case the clock is ticking on your 72 hours to notify.
As an example you might have lost a memory stick – but what was on it? It could be 16Gb of sensitive customer healthcare data or a presentation to last year’s sales conference? In the first case there are problems looming – it is clearly a major loss of data. In the second case who cares? Certainly not the ICO.
Knowing whether the breach is likely to be notifiable (and how sure you are) and what the process of notification entails, is very useful to know early on – for example what systems are affected, what data sets were accessed (even if you don’t know what actual contents in terms of fields and numbers of rows).
This is really a matter of scaling down from “it could be anything and everything” to a much smaller “it is no more than this”. Assuming the worst is probably as bad as hoping for the best – the sooner you know the volume and contents of the breach the better.
Communicating and explaining
Assuming you do have to tell the regulator or authority, it is going to be necessary to explain how the breach happened (which you are going to have to find out), why it happened (which you might not know), where the data has gone (is it in the wrong hands or just “lost”) and – this is likely to be the most important part – what you are doing about it.
You also have to tell the individuals affected. Knowing who was affected (see the “volume of data” problem above) means you know which customers or data subjects to inform; and knowing what data you have lost means you can decide what to say and do about it.
Finally there is the need to communicate with the press – here you need help from PR experts, but in the past we have seen that:
- Seeming uncaring will not go down well
(BP’s Tony Hayward “wanting his life back” during the Deep-water Horizon incident);
- Failing to give information can lead to the press making up an answer that sounds exciting and terrible
(TalkTalk’s Dido Harding not knowing how many people were affected by their data breach);
- Trying to get technical will get the technical community up in arms
(calling a SQL injection web site vulnerability a “sophisticated cyber attack” for example);
- Ignoring social media is a big mistake(people are quite capable of making up many versions of the story and their own hypotheses – irrespective of what you have officially said or what you already know).
You have to engage with these channels whether you like it or not and speaking with the right language and tone is critical – so be positive, honest and helpful rather than resentful, evasive and unconcerned.
Data Breach Notifications: Are consumers ready?
Understanding the responsibilities
When an organisation tells you that your data has been exposed they will hopefully give you some instructions as to what to do and why. However you might not get a full picture of what part of your data has been exposed (see above). It will be even worse though if you find out from the news media or from friends on social media, as in that case there will be all sorts of stories, theories, advice and little of it will be based on facts.
This is likely to become more prevalent under GDPR as more breaches will be publicised whereas in the past they might have been “swept under the carpet”. While this is both a blessing and a curse it still means that there will be more spells of uncertainty while breaches are discussed and the correct action (or the company’s response) is debated.
The number of breaches
If one assumes that as of today under the existing compliance regimes, there are breaches occurring that are going unnoticed and unreported then it seems clear that one effect of GDPR will be to actually increase the number of breaches we have to deal with as members of the public.
This could have several unintended consequences – for one thing changing passwords is a nuisance even now. If people use the same password across sites (not good advice, but very common) or have to change them often the frustration with this is going to grow. Possibly it will reach the point where passwords become even more trivial and ineffective – once you have run out of children’s names, dates of births, lines from songs, initials of famous quotes, words you can remember with numbers and punctuation etc. where do you go from there?
The same problem exists with credit cards and other forms of id; each time a credit card number and associated details are exposed it can be reissued. But this is a problem for the issuer and also for the card holder as it means a constant stream of new cards, new numbers and knock-on effects like stored card details in systems and retailer sites or any that are used for annual subscriptions then need updating.
A slightly heart-breaking outcome of this coming rise in the number of data breach notifications, is that good security should be a market differentiator and it might cease to be.
No one expects customers to choose a more expensive credit card on the basis of the issuer having great intrusion detection systems, firewalls or security analytics. However, if a retailer or bank has a good reputation for protecting information and being secure and trustworthy then (all other things being equal) that should count for something.
You can’t expect security to trump basic economics, but you would expect (as we have sometimes seen in the past) carelessness towards protecting data causes damage to competitive advantage, loss of customers and increased churn.
So what do consumers and citizens do when all the banks have suffered a public breach of one sort or another, when all the leading electronic retailers have been hit, or when an organisation they have no choice in dealing with like the tax office loses data…?
The consumer could quickly reach a point where they simply can’t choose a more secure organisation to do business with as all the providers in a given sector are perceived as being as bad as each other: unable to be trusted with with personal data, so just pick one and hope for the best.
It is unrealistic to not have a bank account because all the banks have at some point suffered a security breach; and shopping around for a new mortgage because your current lender lost your details may not be possible either. What real choice is there?
GDPR is Coming – Ready or Not?
The reality is that GDPR is coming; from May 2018 it will be in force.
Some organisations will be ready, some won’t be ready but will want to be and others will wait until they see what the reality of post-GDPR security looks like before they even start shaping their new practices.
Likewise, for consumers, the awareness of this will be variable. Without having exposure to the raft of GDPR coverage in the security and privacy communities, it is highly likely that awareness at the data subject end is very low. In this case, the first mandatory breach notification someone receives could well be the first time they have heard about it.
This lack of readiness should scare us whether we work for businesses that hold personal data but aren’t ready to deal with breaches OR if we are system/service users or customers who lodge or enter our personal data into the systems any business operates.