Are organizations meeting their notification obligations when timelines are specified?
This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by RADAR, a provider of purpose-built decision-support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here.
Once an incident has been discovered, the clock starts ticking. Privacy officers and their teams must immediately investigate the incident, perform a multi-factor risk assessment according to all applicable jurisdictions to determine if the incident rises to the level of a data breach, and notify affected individuals, regulators, and authorities — often within a very short time frame. It can be a daunting task, compounded by the need to keep up with an ever-changing patchwork of data breach regulations, both enacted and proposed, each with their own unique requirements.
In 2018 alone, we saw the EU General Data Protection Regulation go into effect, with its stringent requirements and unprecedented penalties for non-compliance. We also saw new mandatory breach notification and record-keeping requirements under Canada’s PIPEDA. In the U.S., 11 bills with data breach notification specifications went into effect, and by the end of the year all 50 U.S. states had enacted breach notification regulations. 2019 looks to be a busy year as well — the Radar team is currently tracking more than 40 proposed regulations that could impact breach notification obligations
Of all the changes, a greater stringency in notification timeframes seems to be one of the more risk and stress inducing for privacy professionals tasked with keeping their organizations compliant. We must look no further than the GDPR and its unprecedented 72-hour requirement as an example, though there are many others
Given these pressures, how are organizations faring in meeting their notification obligations when timelines are tight? This is the topic we will explore in this month’s benchmarking article
How do organizations fare when notification obligations include specified and stringent timelines?
While all of U.S. jurisdictions include obligations around reporting timeframes in their breach notification regulations, ambiguous language, such as “in the most expeditious time possible, without unreasonable delay,” has been quite common. And while some still include such ambiguous language, we are increasingly seeing a trend towards jurisdictions replacing generalized guidance with more stringent direction. In 2018 alone, eight U.S. states amended their breach notification timelines, including:
- 60 days to notify individuals (South Dakota, Delaware, Louisiana).
- 45 days to notify individuals (Alabama, Arizona, Oregon, Maryland).
- 30 days to notify individuals (Colorado).
When we consider that timelines are only getting more stringent, it seems almost untenable that organizations can keep up. Or is it? Digging into the aggregated metadata of data privacy incidents, we sought to discover whether organizations that leverage automation and incident response best practices are meeting their notification obligations when timeframes are specified.
The results? Overall organizations are doing quite well meeting their notification obligations. Looking at anonymized metadata gathered from incidents created in 2018 across jurisdictions with specified timelines, 89 percent of notifications were provided within the specified timeframe.
When we consider the 11 percent of notifications that did not meet specified timeframes, the majority seem to be associated with incidents that affected a significant number of individuals in multiple jurisdictions. In many cases, delayed notification was deemed permissible by a regulator.
If we dig further into the data, we see that the degree of lateness varies considerably across an eight-week period, but in most cases notification was provided one to two weeks past the notification deadline. Only one percent of notifications were provided more than eight weeks beyond the specified deadline.
Key takeaways for privacy professionals
Though at first glance it may seem somewhat reassuring that the vast majority of organizations represented in our metadata are meeting their notification obligation deadlines, it is important to keep in mind that the metadata is derived from organizations employing best practices of consistent, automated incident risk assessments and operationalized incident response processes through the Radar platform. The data suggests that when such best practices are implemented, it is possible for organizations to meet their data breach notification obligations across jurisdictions, even when faced with a complex and changing regulatory landscape.
We should also keep in mind that U.S. state data breach notification obligations are generally stipulated in weeks and months. We are all very aware of the 72-hour notification requirement dictated by GDPR, representing a massive shift in expectations. Let’s not forget that contractual obligations can be even more stringent — in some cases, within a single hour of discovery. When notification timelines are measured in hours, not months, how are organizations faring? That will be part of our benchmarking analysis in 2019, as we are all aware that many organizations are still working hard to make sure they are compliant with this new world order.
- Benchmarking Voluntary Breach Notifications: Frequency and Drivers
- PIPEDA’s New Mandatory Breach Notification and Recordkeeping Requirements: How Do They Compare with the GDPR and U.S. Regulations?
- Scaling the Privacy Program: Technology Eases Change Management for Fortune 20 Company