Keeping track of the variety of data breach notification laws is easier said than done. All over the world, organizations need to be aware of notification laws that differ by state, country and continent.
The first task an organization should do to simplify the compliance process is to create a response team to resolve incidents quickly and ensure all breach incidents are properly documented. With states having various timelines for notification and different rules, response teams cannot simply create a uniform template.
“These are not one-size fits-all notifications. You cannot create just one unfortunately. Some state laws require that you provide credit monitoring,” said K&L Gates LLP Partner Julia Jacobson, CIPP/US, CIPM, FIP. “Some provide for state agency and credit reporting agency notification and then there’s the ever present potential contractual obligations in your agreements.”
Jacobson, along with RADAR CEO Mahmood Sher-Jan, delved into the nuances of breach notification during a recent IAPP web conference, while also introducing a new tool to help make the process easier.
The IAPP-RADAR Incident Response Center tool aims to help privacy professionals simplify their data breach notification compliance. It is free to IAPP members, and provides a resource to help users stay up-to-date with data breach notification laws all over the world, plus, it offers definitions on breaches and personal information, reporting requirements, and penalties for non-compliance.
Legislation surrounding breach notification is constantly changing, both in the United States and around the world. North Dakota is amending its data breach notification laws, New Mexico just passed its first-ever law, while Australia and the Philippines are implementing brand new notification rules. Add the fact the General Data Protection Regulation will arrive with its strict penalties, and companies will be more inclined to keep an eye on potential law changes.
With technology continuing to grow and cybercrimes constantly evolving, amendments and new laws will continue to come down the line.
Jacobson said laws "are popping up all over the place because hacking continues to be quite profitable. Hackers get around $150 to $160 for records containing sensitive and confidential information, so as long as hacking is profitable, we expect the hacking will continue; and as long as hacking continues, we expect the data breach notification laws will continue to be modified and adapted to keep up with the hackers."
Before determining whether to send out a data breach notification, an organization needs to determine whether a breach actually happened at all.
“Very often, a client will think that any kind of unauthorized access to any kind of personal information is a data breach, and that’s just simply not true,” said Jacobson. “There can be unauthorized access to information that’s not personal information such as cyber espionage attacks, or there can be access to personal information that is not covered under data breach notification laws.”
After confirming a breach, an organization needs to figure out whether it requires a notification. States have different rules for triggering a notification, whether it’s the definition of personal information, the form of the information compromised, and harm requirements.
Automation can help organizations stay on top of the different law changes and help operationalize incident response management. Automation can assist organizations in staying up-to-date on laws, improve intake to make it more timely and efficient, allowing companies to move away from manual multi-factor risk assessment, creating breach notification letters, and using trend analysis.
Automating the intake process can also help reduce a delayed response, ensure the the privacy and security teams are informed to properly work out said response, and provide proof the enterprise responds to each incident on time.
Multi-factor risk assessment is still posing a challenge for many organization, especially if they do not have an automated process in place. Enhancing risk assessments will make them move faster and with more efficiency, while consistency may be the most important variable, especially when examining similar incidents.
“Just because no two incidents are exactly alike doesn’t mean that you cannot automate that process of risk assessment and risk modification,” said RADAR's Mahmood Sher-Jan. “In fact, that’s even more reason why you should, because you should do it based on building these profiles that closely resemble the actual incidents and then consistently risk score them.”
Metrics are a particularly important resource, as privacy professionals can use them as to display their compliance efforts.
“As a chief privacy officer, if you don’t have metrics, you are really at a disadvantage when you are communicating with the senior executive teams and the boards,” said Sher-Jan. “Doing things in an ad hoc way, or manually in excel spreadsheets and emails, doesn’t give you the cleanliness of the data or the availability of the data to run analytics.”
The IAPP-RADAR tool will be launched shortly before the IAPP Global Privacy Summit, April 19-20. RADAR will have a booth set up at the event in order to give attendees a demo of the tool.
If you want to comment on this post, you need to login.