With a record number of data breaches last year and a steady stream of new revelations about the misuse of data, you may think you’ve heard everything there is to know about data breaches.
You’d be wrong.
Now, with the General Data Protection Regulation (GDPR) fully implemented, there’s yet another way for companies to be in breach of data privacy laws. GDPR is a sweeping set of rules governing the handling of European Union members’ personal data, no matter where it is. It came into full force in May, and breaches carry huge fines — up to 4 percent of a company’s annual global turnover or €20 million (whichever is greater).
What is a breach under GDPR?
GDPR defines it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” Under GDPR, entities have only 72 hours to notify a supervisory authority, which is also known as a data protection authority (DPA). Data controllers are required to report breaches to the authority, while processors must report them to their controllers.
In Europe, entities are required to self-report to the DPA in their EU member state. Perhaps the most well-known DPA in Europe is the United Kingdom’s Information Commissioner’s Office (ICO).
Global companies also have a clear idea of who to report breaches to, since GDPR requires companies with an obvious European footprint to designate an EU representative who would then report to the DPA in their member state.
In addition to self-reporting the breach, GDPR says that companies must notify the impacted data subjects through a notification letter.
According to GDPR, the notification must:
Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Christine Meyers, director of product marketing at security software provider Alert Logic, said companies should assess the situation internally first.
“A crucial part of this step is confirming whether the breach is still ongoing,” Meyers said. “After the appropriate security leaders have been notified, it’s their job to notify company customers and stakeholders of the breach … Internal and external communication are equally important at this stage.”
So how should US companies handle it?
Ultimately, US companies will report breaches where they already do, through state mechanisms that already exist. The National Conference of State Legislatures (NCSL) has compiled a state-by-state breakdown of security breach notification laws, which include who to notify.
Current state data breach laws are all over the place. There are wild differences between states on what constitutes a breach and what’s required in its aftermath. So it’s possible — actually, probable — that the state’s notification requirements are not as stringent as GDPR’s. That means that businesses need to make sure that their policies and procedures exceed state requirements.
And what if your company is online and serves customers from multiple states?
“Guess what? You have to notify 30 different states,” Stuart A. Panensky, partner, cyber-risk, privacy and data Security at FisherBroyles, LLP, told me.
It’s impossible to say how many US companies are currently in GDPR compliance, as surveys have revealed wildly varying numbers. But an April NetApp survey found that more than 75 percent of US companies were concerned about meeting the deadline.
What happens once the DPA gets notice is still up in the air. Since GDPR doesn’t dictate how to handle breaches from companies outside of the EU, the issue of enforcement continues to be murky.
Forget about the right to be forgotten
US companies that currently comply with state laws might already be in breach of GDPR.
Panensky told me that it’s nearly impossible to fulfill at least one of the enhanced data subject rights under GDPR, namely — a customer’s right to have their data erased, or “forgotten.”
“The big one that concerns US businesses is the so-called ‘right to be forgotten law,’” Penensky told me. “No US law currently gives or entitles its citizens to an absolute right to be forgotten.”
But the states will likely catch up. Panensky predicts that there will be an effort at the state level “to model that state’s own privacy laws after the GDPR including a so-called ‘right to be forgotten.’”
Cyber insurance to the rescue
Lost in this conversation is how companies can protect themselves from the liability involved in data breaches both inside and outside of GDPR. Panensky says cyber insurance is a must for anyone handling data.
“Cyber insurance is a special kind that protects business risks associated with the use of computers and computer networks and typically provide[s] coverage for damages arising out of data breaches, ransomware, IT errors and omissions. business interruptions arising out of a data breach,” Panensky said.
Should US companies report directly to the EU DPA?
Some experts say that a US company should report the breach to the DPA in the EU district in which it occurred, but other than reputation management, it’s unclear what incentive a company would have to do that.
Panensky says, “GDPR incentivizes compliance because the benefits to US companies complying with EU law and successfully doing business in the EU far outweigh the costs of compliance.”
Regardless, Panensky warned against ignoring the law or trying to stave off breaches reported by other entities by filing endless appeals.
“You could end up with a bigger fine or a canceled contract,” he said.
Questions about GDPR? Download our free guide — The General Data Protection Regulation: GDPR: A Guide for Marketers.