Throughout the globe, regulatory bodies are tightening their grip over companies and organizations that handle personal information, enforcing more stringent data and privacy rules and mandating breach notification. Data breach notification laws regulate how companies notify their customers of data breaches involving the exposure of personal information, including when to report, what to report and to whom.
This in itself has been going on for a while, and has slowly grown to encompass almost every state in the U.S. and nation in the world. As of March 2017, nearly every state and U.S. territory has data breach notification laws in place (See map here: http://www.dwt.com/statedatabreachstatutes/).
What is more concerning for organizations is that breach notification times are rapidly shrinking.
The standard “breach notification” stopwatch was until very recently set to a leisurely time frame of 60 days, as established in the HIPAA regulation. Most US states require a notice within 45 days ofthe breach, with three major exceptions. Florida requires to notify the owner of the personal information within 10 days of discovering the breach, the New York Department of Financial Services (which went into effect March 1, 2017) imposes a mandatory breach notification period of 72 hours, and Georgia requires notification within a mere 24 hours..
Other countries are updating their laws as well. Effective 2018, Australia’s will require any organization currently subject to the Privacy Act to investigate all data breaches within 30 days. Similarly, the EU General Data Protection Regulation (see the full document at http://ec.europa.eu/justice/data-protection/) states that in the case of a personal data breach, the controller will have to notify the authorities (and in some cases the affected users) within 72 hours of becoming aware of it.
These requirements were put in place to hasten the investigation process and allow potentially impacted parties to to minimize the risk. However, before notifying anyone, the company or organization must first determine whether it is an “eligible data breach.” As the Australian regulator put it (and most regulations are quite similar in this respect), an “eligible data breach” is defined as such:
- There has been unauthorized access to, or unauthorized disclosure of, private information; and
- A reasonable person would conclude that this access or disclosure is likely to result in serious harm to any of the individuals to whom the information relates.
As such, breach responders need to do two things quickly:
- Find the source of the breach and mitigate it.
- Identify which information was compromised and determine the potential impact.
A recent SANS survey of IR professionals found that the length of time between incident detection and remediation ranges from 2-7 days (27% of responders) to longer than a month (40%). With such long remediation times, it’s going to be challenging for organizations to adhere to breach notification regulations using their current tools. As such, it’s no wonder that a recent Gartner survey found that teams are willing to automate a portion of their remediation tasks if the right tools are available. As there is no better driver for cybersecurity procurement than fine-bearing regulation, we foresee that many more organizations will soon equip themselves with such tools, including machine learning-based systems, automatic investigation tools and big data analytics modules.