Just how are companies responding to Article 33 of the Global Data Protection Regulation (GDPR), requiring 72-hour notice of a data breach to EU supervisory authorities? And how are the EU data protection authorities viewing compliance?
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
“This is compounded when the company is a global firm whose business relies on personal data.
“We are determined to look after U.K. citizens’ information wherever it is held.”
Elizabeth Denham, ICO
Article 33, Notification of a personal data breach to the supervisory authority, requires:
- A description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and personal data records impacted;
- Communication of the name and contact details of the data protection officer or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach;
- A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
Breach reporting, pre- and post-GDPR
We looked at how EU data protection authorities responded to major data breaches that occurred, before and after the enactment of GDPR, to glean insight into the types and severity of enforcement actions global organizations face.
The consumer credit reporting agency breach that occurred between May 13, 2017, and July 30, 2017, affected 146 million customers globally and included 15 million U.K. citizens. Although this breach pre-dated GDPR, the agency was assessed a fine of £500,000, the highest fine possible under the Data Protection Act 1998. According to U.K. Information Commissioner Elizabeth Denham, the consumer credit reporting agency violated five out of eight data protection principles of the Data Protection Act 1998 including: failure to secure personal data, poor retention practices and lack of a legal basis for international transfers of U.K. citizens’ data.
The September 2018 data breach sustained by a social media organization is subject to GDPR and Ireland’s Data Protection Office (DPO) already stated that it finds the data breach report incomplete. The DPO is pressing the breached entity to clarify the nature of the breach and the risk of harm to its users. Based on its annual global revenue, the breached entity is facing the maximum potential fine of $12 million.
Application of GDPR
GDPR applies to organizations that process or target EU personal data in the EU or anywhere else in the world. Though this application may be simple, adhering to it can be quite comprehensive.
Any organization subject to GDPR that suffers a breach involving EU personal data must report the incident to relevant data protection authorities within 72 hours of becoming aware of it. What’s not clear to many organizations subject to GDPR is that notice of a breach must be descriptive, including substantial details about the breach and its impact on victims – all within the 72-hour time frame – which may be difficult to accomplish.
Organizations that fail to comply with the breach reporting provision of GDPR face fines of up to €10 million ($12 million) or 2% of annual global revenue, whichever is greater. However, data protection authorities have indicated that the maximum fines would most likely be reserved for organizations that either attempted to cover up a breach, or had indefensible information security practices, procedures and/or processes in place.
How does cyberinsurance aid in data breach response efforts?
In addition to the first-party breach response costs such as notification to affected data subjects, credit monitoring and public relations consultation costs, most cyberinsurance policies include immediate access to forensic investigation firms, which is necessary in order to provide proper detailed notice to data protection authorities. Although a complete forensic investigation is not likely within 72 hours, an objective initial third-party assessment can go a long way in satisfying regulators’ immediate concerns and avoiding potential fines. Legal triage and data breach coaching services are also typically included in cyberinsurance policies as first-party coverage, giving policyholders immediate access to experts that can assist them in meeting compliance with Article 33.
GDPR has significantly raised the stakes in regards to what’s required from organizations in the event of a cyber breach, both in terms of substantial monetary fines and the level of disclosure required. Organizations should make sure they’re aware of their responsibilities and have the resources in place to comply, should a cyber event occur.