Hush, Hush, We Had a Data Breach – Let’s Not Tell Anyone
I am eagerly awaiting the impact of General Data Protection Regulation (GDPR) and the requirement to comply with data breach notification. That should be a good one. Have you ever noticed that companies, particularly US ones, initially claim they don’t know they had a data breach, sometimes for months? Where are their heads? In the sand, I guess. How can you not know? Also, after they know, it appears that they like to keep it a secret. Makes you question their integrity doesn’t it? Should make us question if we should do business with them. I vote No.
Sadly, the US is proposing a bill that essentially gives free reign to businesses to keep mum about a data breach. Really. Companies would have to abide by a too casual notification trigger — warning people of a breach only if there’s a “reasonable risk” that harm has been caused. This gives companies ample wiggle room to either go slow on announcing the breach, or keep it to themselves, which means consumers can be left in the dark.
The financial services industry lobbied for the exemption because they’re already covered by a separate law, known as Gramm-Leach-Bliley. It says that if a firm learns it’s been hacked, and that “misuse of its information about a customer has occurred or is reasonably possible,” the company “should notify the affected customer as soon as possible.” Should notify. Not must. This lets Equifax of the hook. Nice.
In its own statement, the National Retail Federation, which opposes a notification exemption for the financial sector, observed that about a quarter of all data breaches involve financial firms. Oh, and it wipes out California’s law that requires a data breach notification. The California law does not specify a time frame, but states companies are to provide notice “in the most expedient time possible and without unreasonable delay” and “immediately following discovery.” To add to the uncertainty, notice can be delayed, to avoid interference with law enforcement investigations or, if necessary, to determine the scope of the breach and to restore the integrity of the data system.
I guess the government feels the victims are not important. Not so says California. The California Attorney General’s 2016 Data Breach Report found three out of five Californians were victims of data breaches, and that data breach victims were significantly more likely to experience identity theft. Notifying consumers of a data breach promptly after it happens allows and encourages them to take proactive measures – such as cancelling susceptible credit cards, purchasing identity theft prevention services, and so forth – to prevent identity theft.
For once, I am speechless.
Join us for our Discovery, Risk, and Insight in a Metadata-Driven World webinar, on Wednesday, June 13. Discovery, risk, and insight mean something different to every organization, even at different locations within the same company. This webinar shows the automatic generation and use of semantic metadata, to gain a detailed view of risk mitigation for data security, compliance, and operational intelligence.