Too Much or Too Little? The Risks of Under- or Over-reporting Incidents
Data privacy and security incidents occur all the time; the 2018 Verizon Data Breach Investigations Report covers a mind-boggling 53,000-plus incidents. Incidents come in all shapes and sizes—electronic, paper, even verbal or visual. They can be as simple as an improperly mailed billing statement or as complex as a highly coordinated cyber-attack on millions of consumers’ financial records. Every single one of these incidents must be risk assessed to determine if they are breaches requiring notification.
At the heart of every risk assessment is a mosaic of always-changing, ever-increasing breach notification obligations. Compliance is always a moving target, as the following list demonstrates:
- All 50 states have breach notification laws, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. This year alone, multiple states have implemented amendments or new laws regarding breach notification requirements.
- Industry-specific laws such as GLBA and HIPAA.
- The EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, expanded the definition of personal data to include “any information relating to an identified or identifiable natural person.” This is a far broader interpretation than the U.S. definition of personally identifiable information (PII) or protected health information (PHI).
- PIPEDA, Canada’s federal privacy law, added a new mandatory breach notification and recordkeeping amendment that went into effect on November 1, 2018 and is designed to harmonize with the more expansive view of personal data that we see under GDPR.
- Australia’s new breach notification “scheme,” as it’s called, became effective in February 2018.
- Other countries have released mandatory breach notification laws; while others are still in the early stages – either recommending notification, or discussing future legislation.
With so many laws and so many incidents, it’s not surprising that many companies often under- or over-report data breaches. Yet doing so carries significant risk to both organizations and individuals.
The dangers of over-reporting
Some privacy professionals have the mistaken belief that by reporting every single incident they are meeting their notification obligations. The opposite is true. Failing to assess the sensitivity of exposed data and the severity of each incident to determine the potential risk of harm—and thus your obligation to notify or not—is, in fact, noncompliance and can actually harm your business.
Over-reporting can erode the confidence that customers, patients, members, partners, and others have in your ability to protect their privacy. They may wonder just how secure your business is if you continually report breaches, even minor ones. That can cost you, a lot. An Accenture Strategy Research Report reveals that trust, traditionally viewed as a “soft corporate issue,” has very real impact on the bottom line. In fact, at least $180 billion in revenue is at stake across the 54% of companies in the Accenture analysis that experienced a drop in trust.
Regulators, too, may wonder what’s amiss and subject you to greater regulatory scrutiny. Before the GDPR came into effect, the Irish Deputy Data Protection Commissioner warned that data controllers must perform a risk analysis before making a notification and that controllers who over-notify could face enforcement action. Despite this advice, the UK Deputy Information Commissioner reported that the ICO has received approximately 500 calls a week to its breach reporting line since May 25, 2018.
Under-reporting is dangerous, too
Equally risky is the under-reporting of data breaches. By missing notification requirements, organizations may face significant fines and penalties. Uber was fined $148 million for waiting a year to notify its drivers that hackers stole their personal information. And Altaba, formerly known as Yahoo!, agreed to pay a $35 million penalty for failing to disclose its massive cybersecurity breach to investors.
As with over-reporting, failing to notify diminishes consumer confidence and thus can take a financial toll. Regarding the trust issue, Michael Lyman, senior managing director at Accenture Strategy, said, “Our research proves that no company is immune to the impact of a drop in trust on the bottom line. U.S. companies must adopt a top-down culture that fully bakes trust into the company’s strategy, operations and broader DNA. Those who don’t are putting their future revenues at risk.”
Under-reporting is like sticking your head in the sand—just because you don’t report them doesn’t mean there are no breaches. And organizations with a low volume of incidents may simply not be detecting all their incidents. But ignorance of the law is not a defense, and aside from running the risk of failing to report something that should be reported, these companies are also missing out on opportunities to identify areas for potential improvement and training to reduce future breach risks.
Is accurate, compliant reporting even possible?
Often, organizations have inconsistent, manual processes for breach determination that are subject to human bias and interpretation. Add that to the complexity of notification laws and the high volume of incidents, and it’s no wonder that so many privacy professionals miss the mark when it comes to reporting.
That being said, it is possible to report only the breaches that need to be reported in accordance with regulations—nothing more, nothing less. Instead of manual, ad-hoc processes, organizations need to adopt a method for incident response that is:
- Consistent for all incident types
- Automated to ensure timeliness and accuracy
- Multi-factor—e.g., weighs data sensitivity and incident severity to determine likelihood of harm
- Defensible, with documentation to support the decision to notify or not notify
- Updated with the latest state, federal, international, and industry regulations to ensure compliance
- Scalable to support a growing number of incidents
Reporting doesn’t have to be ad-hoc or painful. The right software tool can take the subjectivity and inconsistency out of the incident response process, so you can ensure proper, compliant notification to the right people at the right time.
Ready to get your reporting right? Contact us to learn how RADAR can help.
- Benchmarking Voluntary Breach Notifications: Frequency and Drivers
- PIPEDA’s New Mandatory Breach Notification and Recordkeeping Requirements: How Do They Compare with the GDPR and U.S. Regulations?
- Scaling the Privacy Program: Technology Eases Change Management for Fortune 20 Company