Across the globe, there are a range of laws designed to protect consumer data. While the scope and requirements of each piece of regulation varies between regions and countries, they all have a broad set of fundamental requirements to which businesses need to adhere. Central to this is what organisations must do when a breach has occurred. One of the key elements of this is the idea that notifying those affected by a breach can reduce the harm that the leak of personal data can cause. Data breach notifications also have broader implications, in that they force companies to take more responsibility for any harm caused by a data leak, rather than sweeping it under the carpet.
Notification Requirements
While the concept of a data breach is a fairly universal principle – personal, identifiable data being leaked into the public domain – the concept of notification is less well defined. The first data breach notification law was passed in California in 2002 and since then various countries have tried to implement similar requirements. However, the picture still isn’t clear cut. If you take for an example the UK and EU, it’s clear that businesses need a deep understanding of the nuances of the legislation:
The situation gets even more complicated when you look further afield. The German Data Protection Act requires both the affected individual and the regulator to be informed, but only depending on the type of data and the severity of the breach. In the United States, there is no federal standard, despite calls for this, and as a result each state has its own variation on the state of California’s original data breach notification law.
Ensuring compliance everywhere
While the principle of ensuring compliance sounds theoretically feasible, when you put it into a real world context it quickly becomes apparent that there are a number of challenges to doing so. The first problem is establishing exactly what has been leaked. If a mobile device is lost, it is difficult to confirm whether it has been stolen or simply misplaced. As a result, you can’t tell if data on the device has been accessed or accurately determine what, if any, data has been compromised. In many jurisdictions the authorities would look unfavourably on a company that can’t confirm the severity of the breach.
The second problem is notifying the authorities and affected parties within the correct timeframe. The challenge is knowing when the breach occurred. If a device was lost and data breached on a Friday evening, and the employee doesn’t inform the IT department until the Monday morning, that’s over 48 hours where nothing has been done to rectify the potential impact of the breach. Given the EU GDPR’s requirements for notifications to be made without ‘undue delay’, and that the ICO’s overriding concern is the potential harm it causes, a delay of this length can be perceived as demonstrating negligence.
Knowledge and technology is key
Ultimately, to ensure compliance with all global data breach notification regulations you need to be able to accurately say whether a breach has occurred, what information has been exposed, and how many people are affected by it. The only way this can be done effectively is by having the technology in place to encrypt device data, track stolen or lost devices, confirm whether the data has been accessed, and then wipe the device if it can’t be retrieved. No matter how it is done, organisations need to demonstrate to their specific regulators that they’re in control of the situation when a breach has taken place. Being unable to do this makes financial and reputational damage from a breach that much greater and more likely.
Stephen Midgley is VP global marketing at Absolute
Are you a data breach expert? Take our quiz to find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…