How to comply with global data breach notification laws

Legislation to protect consumer data exists across the world. The requirements of the law vary between countries and regions, but there’s a broad set of standard ground rules with which businesses need to comply. Thanks to IT support company Evolvit for their help in the creation of this article.

Pivotal to the rules is the action that organisations must take if a data breach has occurred. The aim is to notify everyone affected by the breach, so that the risks associated with the leaking of personal data can be reduced. The global data breach notifications also force organisations to take responsibility for any problems caused by an incident, rather than trying to cover it up.

Data breach

data (scrabble) by justgrimes licensed under Creative commons 5

Following the correct procedures

While the majority of businesses protect themselves against data breaches, cybercrime and hacking, it’s almost impossible to protect against all attacks, as hackers are using increasingly sophisticated techniques. The importance of knowing what to do if a breach occurs is crucial to limiting any damage.

The legislation recognises that any delay in notifying those affected can have serious consequences. Knowing the correct action to take by understanding the global minimum standards for breach notifications ensures that organisations don’t fall foul of the law, leaving customers further at risk.

Data breach notification requirements

When personal and financial data are leaked into the public domain, the concept of data breach notification is often not well defined. It was the state of California in the USA that first passed legislation relating to data breaches in 2002. Subsequently, various countries have implemented similar legislation.

However, none of it is particularly clear cut and businesses must take the time to ensure they fully understand all the requirements. In the EU and the UK, for example, there are different rules. The EU is governed by the Privacy and Electronic Communications Directive 2003, a law that requires organisations to notify all individuals affected in the event of a data breach, in addition to notifying a national authority, when the breach affects personal data and privacy.

There isn’t a general requirement in place in the UK, under the Data Protection Act 1998, to notify affected individuals or the Information Commissioner’s Office in the event of a data breach. However, if there’s a serious breach, the ICO recommends that they should be notified, with the main consideration being to combat any harm to individuals.

New regulations planned for 2017

The EU General Data Protection Regulation is due to be introduced in 2017 and will apply to any personal data that’s being used by businesses within the European Union. Under the new laws, any company suffering a data breach must notify the authorities within a reasonable time and must notify every individual who may be affected.

In other European countries, the situation may become confusing because of their own individual laws. For example, the German Data Protection Act requires both the regulator and any affected individuals to be informed, but not in every case. The requirement to notify the relevant bodies and individuals depends on the kind of data and the seriousness of the breach.

In the USA, there isn’t a federal standard law. Instead, each state has its own individual variation of California’s data breach notification laws.

Ensuring compliance everywhere

It’s apparent that there’s a wide variety of standards across the globe when it comes to data breach notification laws. In general terms, any organisation’s policy should be to focus on protecting everyone who will be affected in the event of a breach, telling all concerned as quickly as possible.

There are challenges to putting this standard in place, however. One of the major ones is ascertaining what’s been leaked and how major the risks are. For example, should a mobile device be lost, has it been misplaced or stolen? How easy is it to access any data on the device, thus compromising security?

In some jurisdictions across the globe, the authorities would be highly critical of any company that couldn’t confirm how serious the breach was.

Notifying the relevant parties

Notifying the affected individuals and the relevant authorities is a challenge in itself, especially since this must be completed within a specific timeline. Often, it can be difficult to ascertain exactly when the breach occurred.

If a mobile device has been lost and the data has been breached on a Friday evening, for example, there’s a chance the employee may not realise this until Monday morning and won’t inform IT until after the weekend. This would mean more than 48 hours had passed between the device being lost or stolen – potentially compromising data – and the breach being reported to IT.

As the EU requires that notifications of a breach must be made “without undue delay”, then the ICO may be concerned that a delay of over 48 hours is negligent and may potentially cause serious harm to those affected by the breach.

The key is knowledge and technology

In order to comply with all global data breach notification legislation, businesses must be able to say accurately whether a breach has occurred, specifying what information has been exposed in the public domain. It’s also necessary to know how many people are affected by the breach.

This can be completed effectively by using technology that tracks lost or stolen devices, encrypts device data, confirms whether someone has accessed the data and wipes the device if it can’t be retrieved. Organisations must take the necessary steps to ensure they comply with global data breach notification laws, demonstrating to their specific regulator that they’re in control of any breach situation.