Data Breach Notification Laws

Digital transformation is accelerating rapidly, affecting all areas of business; nowadays, organizations of all sizes and across all industries utilize information technology to facilitate work operations and increase efficiency. The most obvious aspect of this massive shift to adopting digital technologies appears in the enormous amount of digital data in today's digital ecosystem.

According to IDC, by 2025, worldwide data will grow 61% to 175 zettabytes. The number of internet users will exceed 6 billion in 2025, and each internet user will have at least one data interaction every 18 seconds. The massive amount of digital interactions boosted by the data generated from the Internet of Things (IoT) devices worldwide will boost the world's digitization to an unpredictable rate.

Organizations store and process large volumes of data as part of their daily work, with portions of this data being classified as sensitive and not exposed to the wrong parties. Examples of sensitive data include patient health information, customer info, credit card details, and financial information, to name only a few. Exposing sensitive information to the wrong parties can have serious reputational, legal, economic, and regulatory effects on the impacted organization.

What is a data breach?

A data breach is a security incident that results in exposing confidential information to outside parties. A data breach can result in massive damage to affected organizations and to the users whose information was revealed. The damage cost can be enormous and could take a long time to fix.

Almost every week, we hear about a massive data breach. A recent Facebook data breach which resulted in exposing the phone number and personal details of 533 million users, and a LinkedIn data breach that resulted in disclosing the personal information of 500 million LinkedIn profiles, are prominent examples.

What is a data breach notification?

Most organizations collecting or processing user data need to comply with one or more data protection regulations. The most prominent data protection regulations are the European General Data Protection Regulation (GDPR), PCI DSS for credit card info, and HIPAA for patient information.

As part of organizations' compliance with the imposed regulatory requirements, they have to report security incidents that impact sensitive data to both the proper supervisory authority and to the affected individuals (in some cases) whose personal data may have been involved in the breach. In this article, I will discuss the notification requirements for the European GDPR.

GDPR and the notification law

The GDPR has a mandatory notification requirement when users' personal information is affected by a data breach. The complete document that was adopted officially on 14 January 2021 can be found on the official website. Here are the main points regarding GDPR notifications:

The GDPR requires the data controller to:

• Document any data breach affecting customer's information, detail the information exposed in the breach, and what measures have been taken to remedy the incident.
• If the data breach resulted in exposing personal information, the affected party must notify the supervisory authority.
• Suppose the personal data exposed in a data breach contains sensitive information that may bring any harm or loss of freedom to the affected users. In that case, those users must get notified as well.

The GDPR lists seven security incidents that require notifying the supervisory authority:

1. Ransomware: Ransomware aims to encrypt target organization files and demand a ransom to remove the encryption. GDPR considers losing access to sensitive data a type of data breach that requires notification.
2. Data exfiltration: Any attack that aims to exfiltrate personal data for malicious purposes. Exfiltration attacks commonly come as a result of a hacked website or a vulnerable service.
3. Human error: This includes any human errors that result in exposing sensitive data to unauthorized parties.
4. Lost computing devices or paper documents: Examples include losing a laptop or a USB device containing personal information or losing paper documents containing similar info.
5. Mispostal: This is another type of human error. An example is when an employee accidentally sends a mail containing sensitive personal information to the incorrect recipient.
6. Social engineering: Social engineering attacks come in different forms and can be grouped into 1) attacks using the internet and 2) in-person attacks. In both types, the social engineer aims to gain unauthorized access to sensitive information.

For each of the above incidents, the GDPR gives examples of attack scenarios and how the data controller should handle them. In ransomware attack, the GDPR gives sample scenarios of an organization experiencing a ransomware attack while having a backup and without data exfiltration and having no backup but with data exfiltration.

The organization possessing the data (the data controller) must notify the GDPR office and the data owners when the breached data will have an immediate risk against their rights and freedoms. The data controller must notify as soon as it becomes aware of the data breach.

Summary

When a business suffers from a data breach affecting customer data, the data controller who suffered from the breach must notify the supervisory authority about the breach once they discover it. However, not all data breaches require external notifications. For example, if a data breach resulted in stealing proprietary software, trade secrets, or other confidential documents, such cases do not require notifying regulatory compliance offices.