Businesses need more guidance on trigger for data breach notifications, says expert

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2015/may/businesses-need-more-guidance-on-trigger-for-data-breach-notifications-says-expert/

Data protection law specialist Marc Dautlich of Pinsent Masons, the law
firm behind Out-Law.com, said that it is not clear from the wording of the
proposed new General Data Protection Regulation (GDPR) when "the clock
would start ticking" on the 72 hours companies would have to report the
loss, theft or unauthorised accessing of personal data they are responsible
for.

Dautlich was commenting after a survey of 145 IT professionals by software
provider Varonis Systems found that only 48% of respondents believe their
organisation would be able to meet the 72 hour deadline for data breach
notification under the planned Regulation.

Under proposals that have the provisional backing of justice ministers
across the EU, organisations would generally have 72 hours to notify
regulators as soon as they become aware that they have suffered a personal
data breach that "may result in physical, material or moral damage" to
individuals.

Damage of this kind could range from identity theft or fraud, to damage to
their reputation, loss of control over their personal data or a loss of
confidentiality to data protection by professional secrecy, according to
the ministers' plans.

"The 72 hour deadline for notification is a demanding one," Dautlich said.
"Businesses are going to need to give some thought to questions that seem
easy but – as anyone who has dealt with a breach will know – are often not
at all, for example."

"It is not always obvious exactly when a breach stemming from a security
incident actually began or what constitutes a breach in the absence of
better clarity from law makers," he said. "Systems logs produce all sorts
of alerts that law makers cannot intend to be caught by the current
provisions in the GDPR. On the other hand, information security experts
will need some guidance about appropriate triggers, and organisations as a
whole will need procedures that, based on experience, many of them
currently do not have or have only in rudimentary form – that is, practical
security breach response plans, owned and managed by a person accountable
for meeting the requirements of the GDPR once implemented."

"These are not trivial questions or procedures and, on current experience,
we cannot expect law makers to give much clarity any time soon about what
in practical terms companies are going to have to do to meet their new
legal obligations. At the same time, many organisations have come to
acknowledge that  the nature of the cyber threats facing them means it is
more likely than not that their information security will be breached at
some point, and therefore they cannot afford to ignore these procedures,"
Dautlich said.

Businesses that fail to protect personal data adequately under the new GDPR
could face fines of up to 2% of their annual turnover, up to €100 million,
under the Council of Ministers' proposals for the GDPR. MEPs are pushing
for even stiffer penalties to be made available to regulators.

According to the Varonis' survey, 80% of IT professionals believe banks are
the most likely organisations to be hit with the maximum fines possible
under the new GDPR.

However, Dautlich said that "experience shows that retailers are probably
more at risk" of such sanctions.

"Banks, as high-profile organisations that consumers trust and recognise,
are a potential major target for enforcement action under the GDPR if they
suffer a data breach," Dautlich said. "However, perhaps the most
high-profile data breach incidents to-date have involved retailers,
including the cases of Target and Home Depot, albeit both incidents
occurred in the US," Dautlich said. "Criminals are targeting retailers in
search of rich payment card data and other personal information of
consumers. Their data security practices are likely to be placed most under
scrutiny under the GDPR as a result."

"Data breaches are an unfortunate near-unavoidable reality of conducting
digital business. The potential regulatory fines stemming from a data
breach - although set to increase dramatically - is only one facet
businesses need to consider. Data breaches have an impact on the reputation
of a company and, as the Target case shows, the careers of senior
executives. Companies need to identify a suitable incident response plan
for their business and rehearse it," Dautlich said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!