Ten years ago, Moroccan runner Hicham El Guerrouj ran the mile in a mind-blowing 3:43:13—a world record that still stands. That kind of speed might be something privacy pros relate to–if you have a data breach requiring notification, it’s time to put on your regulatory track shoes! In some instances, privacy teams may have only 72 hours to provide notification.
Even if the timeline for a particular notification is significantly longer than that—up to 60 days in some jurisdictions—the overall regulatory trend we’re seeing is greater specificity in those timelines.
Historically, in the U.S., state breach notification laws did not specify timelines during which individuals must be notified of a breach of personal information following discovery. Instead, the laws used language such as “in the most expeditious time possible without unreasonable delay.” As a result, depending on the circumstances of a breach or an entity’s culture of compliance, the timing of when individuals are actually notified can vary widely.
In recent years, we’ve seen numerous states replace this ambiguous language with a specific outside limit by which time an individual must be notified following the discovery of a breach. In 2019, two states changed their notification timelines to a specified number of days:
- Delaware (60 days)
- Maine (30 days)
Driving the Regulatory Autobahn
It’s also important to note that, while notification timelines are becoming more defined, many privacy professionals are already dealing with extremely short timelines for notification:
- In the U.S., entities subject to the New York Department of Financial Services cybersecurity regulation are required to notify the Superintendent of Financial Services within 72 hours of a qualifying cybersecurity event.
- Entities with contractual obligations to notify data owners or controllers of a breach typically see those contractual timelines specified in hours, rather than days.
- For a controller subject to the GDPR, notice to supervisory authorities is required “without undue delay and, where feasible, not later than 72 hours.”
“Organizations must notify the national data protection regulator and must also notify everyone who has been affected by the breach, where the ‘data breach is likely to result in a high risk to the(ir) rights and freedoms,’” Deema Freij, former global privacy officer at Intralinks, wrote. “However, finding out what the breach is, who has been affected, how wide it is and how it happened all within 72 hours is not easy—especially when companies want to be remediating damage caused by the breach in this time. This is where having thorough processes shows its value, because all of this information will need to be relayed to the regulator.”
How Well Does Your Organization Measure Up?
When it comes to notification timelines, there’s a significant gap between what the law requires and what companies are actually able to accomplish. The 2019 BakerHostetler Data Security Incident Response Report shows the timeframe from incident discovery to notification averaged 56 days for organizations without purpose-built automation.
If there’s a lag time between your incident discovery and breach notification, you have the opportunity to improve your privacy program. Consider the following questions:
- Are you able to quickly and consistently perform incident risk assessments to reduce your notification decision time?
- Have you operationalized your regulatory risk assessment and decisioning process, or is your time being spent researching laws and manually documenting the investigation process?
- Is creating and sending notification letters the bane of your existence?
In addition, ask yourself what you can learn from breaches with longer notification times. Are there patterns in these breaches—do they tend to be big, small, electronic, external or from specific source(s) within your organization? Trimming these outliers will significantly impact your overall program metrics. Remember: it doesn’t matter whether the breach is big or small. You must risk assess consistently to avoid the risk of over- and under-notification.
How Privacy and Security Teams Can Improve
As regulations continue to condense the timeframe between discovery or awareness of a breach and required notification, either to a regulator or to affected individuals, it’s increasingly critical that processes and systems are in place to streamline incident response. Benchmarking data indicates that streamlining with privacy automation and consistent incident risk assessment and scoring accelerate the incident response lifecycle. Without this best practice, your privacy and security teams may find themselves racing the clock to remain compliant with multiple timelines across multiple jurisdictions.
Stay tuned for the next post in this series, in which we discuss the third regulatory trend: specifying notification content. In the meantime, you can:
- Read the first blog post in the series: The Expanding Scope of Personal Information.
- Download the free ebook: Trends in Changing Data Breach Notification Laws 2020.