Businesses need more guidance on trigger for data breach notifications, says expert

Out-Law News | 13 May 2015 | 10:39 am | 3 min. read

Businesses need more guidance from policy makers on when the requirement to report data breach incidents is triggered, an expert has said.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that it is not clear from the wording of the proposed new General Data Protection Regulation (GDPR) when "the clock would start ticking" on the 72 hours companies would have to report the loss, theft or unauthorised accessing of personal data they are responsible for.

Dautlich was commenting after a survey of 145 IT professionals by software provider Varonis Systems found that only 48% of respondents believe their organisation would be able to meet the 72 hour deadline for data breach notification under the planned Regulation.

Under proposals that have the provisional backing of justice ministers across the EU, organisations would generally have 72 hours to notify regulators as soon as they become aware that they have suffered a personal data breach that "may result in physical, material or moral damage" to individuals.

Damage of this kind could range from identity theft or fraud, to damage to their reputation, loss of control over their personal data or a loss of confidentiality to data protection by professional secrecy, according to the ministers' plans.

"The 72 hour deadline for notification is a demanding one," Dautlich said. "Businesses are going to need to give some thought to questions that seem easy but – as anyone who has dealt with a breach will know – are often not at all, for example."

"It is not always obvious exactly when a breach stemming from a security incident actually began or what constitutes a breach in the absence of better clarity from law makers," he said. "Systems logs produce all sorts of alerts that law makers cannot intend to be caught by the current provisions in the GDPR. On the other hand, information security experts will need some guidance about appropriate triggers, and organisations as a whole will need procedures that, based on experience, many of them currently do not have or have only in rudimentary form – that is, practical security breach response plans, owned and managed by a person accountable for meeting the requirements of the GDPR once implemented."

"These are not trivial questions or procedures and, on current experience, we cannot expect law makers to give much clarity any time soon about what in practical terms companies are going to have to do to meet their new legal obligations. At the same time, many organisations have come to acknowledge that  the nature of the cyber threats facing them means it is more likely than not that their information security will be breached at some point, and therefore they cannot afford to ignore these procedures," Dautlich said.

Businesses that fail to protect personal data adequately under the new GDPR could face fines of up to 2% of their annual turnover, up to €100 million, under the Council of Ministers' proposals for the GDPR. MEPs are pushing for even stiffer penalties to be made available to regulators.

According to the Varonis' survey, 80% of IT professionals believe banks are the most likely organisations to be hit with the maximum fines possible under the new GDPR.

However, Dautlich said that "experience shows that retailers are probably more at risk" of such sanctions.

"Banks, as high-profile organisations that consumers trust and recognise, are a potential major target for enforcement action under the GDPR if they suffer a data breach," Dautlich said. "However, perhaps the most high-profile data breach incidents to-date have involved retailers, including the cases of Target and Home Depot, albeit both incidents occurred in the US," Dautlich said. "Criminals are targeting retailers in search of rich payment card data and other personal information of consumers. Their data security practices are likely to be placed most under scrutiny under the GDPR as a result."

"Data breaches are an unfortunate near-unavoidable reality of conducting digital business. The potential regulatory fines stemming from a data breach - although set to increase dramatically - is only one facet businesses need to consider. Data breaches have an impact on the reputation of a company and, as the Target case shows, the careers of senior executives. Companies need to identify a suitable incident response plan for their business and rehearse it," Dautlich said.