Hitting a Moving Target: The Challenge of Ever-Changing Breach Notification Laws
The only constant in life is change, and few things in the world of privacy and data protection are evolving as much as breach notification laws. These regulations are more stringent, specific, and numerous than ever before. The constant shifting of breach notification laws makes compliance not a one-and-done activity, but requires constant vigilance to keep abreast of changes.
Indeed, privacy teams may feel that the challenge of compliance supersedes that of incident detection and escalation. And it’s no wonder, given that a 2018 Thomson Reuters report on compliance noted there’s an average of 216 regulatory alerts a day.
Regulatory Complexity in the U.S. and Abroad
Across the United States and around the world, the mosaic of breach notification regulations is shifting at breakneck speed. All 50 states have breach notification laws, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. In 2018, multiple states implemented amendments or new laws regarding breach notification requirements. For example, Colorado replaced ambiguous language with a 30-day limit by which time an individual must be notified following discovery of a breach. Also in 2018, four states—including Colorado—added specific content requirements to notifications, such as the date of a security breach and description of personal information believed to have been acquired as a result of the breach.
The EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, expanded the definition of personal data to include “any information relating to an identified or identifiable natural person.” This is a far broader interpretation than the U.S. definition of personally identifiable information (PII) or protected health information (PHI). ICO Commissioner Elizabeth Denham described GDPR as “the biggest change to data protection law in a generation.”
PIPEDA, Canada’s federal privacy law, added a new mandatory breach notification and recordkeeping amendment that went into effect on November 1, 2018. According to a statement from the Canadian government, PIPEDA was crafted with an eye toward alignment with GDPR, because “many Canadian organizations must comply with both Canadian and European law. The final Regulations were drafted with a view to harmonizing the requirements to the extent possible.”
Australia’s “notifiable data breaches scheme,” as it’s called, became effective in February 2018. This regulation has overtones of GDPR, too, since both laws consider personal data “to be any information about an identified individual or that can be reasonably linked to an individual.”
The High Cost of Noncompliance
Regulators take noncompliance seriously. Under GDPR, organizations that do not comply with an enforcement notice could face fines up to 20 million euros or four percent of global turnover—whichever is greater. Centro Hospitalar Barreiro Montijo, a hospital in Portugal, was the first to receive a fine for violating the GDPR. Then, France fined the U.S. tech giant, Google, nearly $57 million, demonstrating the global reach of privacy laws. Despite the potential for large fines, IAPP-EY Annual Governance Report 2018 revealed that 56% of respondents subject to GDPR say they are far from compliance or will never comply.
Domestically, the U.S. Department of Health and Human Services’ Office for Civil Rights has levied close to $80 million in fines to organizations for violations to the HIPAA Privacy Rule since it took effect in April 2003. Uber was fined $148 million for waiting a year to notify its drivers that hackers stole their personal information. And Oregon’s U.S. senator recently introduced a bill that would levy penalties up to 20 years in prison and $5 million in fines for executives who “knowingly mislead” the federal government in their annual data protection reports.
What’s more, consumers are increasingly aware of their data privacy rights, and how these rights are respected—or not—influences how consumers perceive an organization’s brand or reputation. The cybersecurity industry, too, is encouraging both consumers and businesses to strengthen privacy safeguards with initiatives like National Privacy Day, which is each year on January 28th.
Compliance is Within Reach
The key to compliance with complex and ever-evolving breach notification and recordkeeping requirements under U.S. breach notification laws, GDPR, PIPEDA, and other regulations is knowing where they are similar and where they are different. There is one notable similarity—these laws all require a multi-factor risk assessment to determine whether notification is required to affected individuals, state attorneys general, regulatory agencies, and others, taking into consideration the nuances in each law’s standard of harm.
Staying current with breach notification laws is more than a full-time job, though, and the risk of error is high. Privacy teams need a consistent, efficient method for risk assessing each incident that takes the latest version of all applicable regulations into account. When consistency is applied to every incidents’ multi-factor risk assessment, the subjectivity of the breach determination process is stripped away, which is the goal.
RADAR, purpose-built software for incident response management, takes the guesswork out of the process. Our regulatory team continuously tracks changes in data breach notification laws for you, to help ensure compliance with new and changing laws immediately upon the law’s enforcement date. As a result, you eliminate the costs and time necessary to monitor, research, and analyze regulatory changes—no matter how they may evolve.
Stay tuned for the next post in this series, which will cover the second challenge: lack of budget. You can also learn more by downloading the free whitepaper: The 4 Challenges of Managing Incident Response.
- Finding the Hidden Picture: The Challenge of Incident Detection and Escalation
- eBook: Changing Data Breach Notification Laws: Regulatory Trends
- Breach Notification Regulatory Trends From 2018