The Sooner the Better: Increasing Specificity in Notification Timelines
Today’s world is built for speed. Want a ride? Get an Uber or Lyft at your door in 10 minutes. Want your food faster? Use Grubhub and order ahead. Have a data breach requiring notification? Work quickly, because you may only have 72 hours to provide notification to individuals and regulatory authorities, depending on the jurisdiction.
Even if the timeline for notification is significantly longer than that—up to 60 days—the overall regulatory trend we’re seeing is greater specificity in those timelines. In the U.S., for example, state breach notification laws have historically not specified timelines during which individuals must be notified of a breach of personal information following discovery, instead using language such as “in the most expeditious time possible without unreasonable delay.” As a result, depending on the circumstances of a breach or an entity’s culture of compliance, the timing of when individuals are actually notified can vary widely.
In recent years, we’ve seen numerous states replace this ambiguous language with a specific outside limit by which time an individual must be notified following discovery of a breach. In 2018 alone, we saw eight states change their notification timelines to a specified number of days:
- 60 days to notify (South Dakota, Delaware, Louisiana)
- 45 days to notify (Alabama, Arizona, Oregon, Maryland)
- 30 days to notify (Colorado)
More recently, North Carolina Attorney General Josh Stein and Representative Jason Saine reintroduced data privacy legislation that would change the notification timeframe requirement from “most expeditious time possible without unreasonable delay” to a specified 30 days to notify affected individuals and the Attorney General’s office of a breach. According to the legislation, “This quick notification will allow people to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs.”
Faster, Faster, Faster…
It’s also important to note that, while notification timelines are becoming more defined, many privacy professionals are already dealing with extremely short timelines for notification. The new North Carolina legislation would cut the notification time for HIPAA covered entities in half from 60 days to 30. Entities subject to the New York Department of Financial Services cybersecurity regulation are required to notify the Superintendent of Financial Services within 72 hours of a qualifying cybersecurity event.
For a controller subject to the GDPR, notice to supervisory authorities is required “without undue delay and, where feasible, not later than 72 hours.” Entities with contractual obligations to notify data owners or controllers of a breach typically see those contractual timelines specified in hours, rather than days. Seventy-two hours—or even less—is not long when faced with a data breach.
Deema Freij, SVP, deputy general counsel, and global privacy officer at Intralinks writes, “Organizations must notify the national data protection regulator and must also notify everyone who has been affected by the breach, where the ‘data breach is likely to result in a high risk to the(ir) rights and freedoms.’ However, finding out what the breach is, who has been affected, how wide it is and how it happened all within 72 hours is not easy—especially when companies want to be remediating damage caused by the breach in this time. This is where having thorough processes shows its value, because all of this information will need to be relayed to the regulator.”
Streamlining Incident Response is Key
Ms. Freij is absolutely correct. Operationalizing your incident response process brings automation and consistency, ensuring each stage—from incident reporting to risk assessing to providing notification—is completed in a timely, compliant manner. RADAR, for example, ensures the multi-factor risk of harm assessment is 100% consistent, eliminating the subjectivity and inconsistency inherent in manual approaches. And in a time trial comparing RADAR software to existing incident response processes, the time it took to gather the pertinent facts, perform a multi-factor risk assessment, and arrive at a breach determination decision was reduced from days to minutes.
Stay tuned for the next post in this series, in which we discuss the third regulatory trend: specifying notification contents. In the meantime, you can learn more by downloading the free ebook: Changing Data Breach Notification Laws: Regulatory Trends.
- Are organizations meeting their notification obligations when timelines are specified?
- A Regulatory Trend To Watch: The Expanding Scope of Personal Information
- Tackling the Top 4 Challenges of Managing Incident Response