With the recent Equifax data breach that put 145.5 million people at risk, there is a lot of discussion about cyber regulations. Equifax got a lot of criticism over how it handled the incident and for how long it took them to inform people that their data has been accesses by hackers.
The initial hack took place back in May 2017 but the company was not aware of it until July, and they only informed the people more than a month later. This has brought a lot of discussion on whether keeping it secret from the public was the right thing to do, especially because it involves tens of millions of people and highly sensitive information. But there are a lot of things to consider when it comes to the time frame in which an incident needs to be reported. And while regulations vary from state to state in America, Europe has introduced new regulations that would force companies to reveal a breach within 72 hours after it was discovered. And it raises the question of whether America should do the same.
Europe’s new regulations
The new General Data Protection Regulation, GDPR in short, that goes into effect in May 2018, will introduce new laws on how personal data and data breaches should be handled. It aims to give control over their personal data back to the citizens. It also ensure that people will be informed of a breach shortly after the incident takes place.
Companies will be obligated to report an incident within 72 hours of discovery. Failing to comply with this will result in them having to pay a fine equaling to 4% of their global revenue or 20 million Euros. And it is not just European companies that will have to act in accordance with these regulations. Companies outside Europe will also have to oblige if they handle European citizen data.
This will force some American companies to revise how they handle customer data. And once they come up with infrastructures that can handle customer information in accordance to the European law, it is unlikely that they will treat American citizen data differently.
The new regulations are not without questions. The time frame of 3 days has caused some confusion on when exactly the time will start ticking. And it is also pointed out that data breaches are not always kept a secret because of self-interest.
Why delay in data breach disclosure happens
There are quite a few reasons on why a data breach would be withheld from the public for some time, and it may not be solely because of a company’s self-interest. The law enforcement agency that is cooperating with the company may not want to ruin the investigation by revealing too much too soon. Or the full scale of the incident may not be known, and companies want to wait until they have all the facts before they cause panic. But on the other hand, if your personal information was in a data breach, you have a right to know.
“My general experience is it takes multiple days or weeks to really get your arms around what has happened and to balance this against what the adversary is going to do with the data,” Michael Daniel, president of the Cyber Threat Alliance, told NBC News. “The return on the value of the data decreases rapidly, but on the other hand you also very frequently learn a lot more when you really dig into the forensics.”
That is not to say that self-interest does not play a role in this. High-ranking Equifax executives, for example, sold 2 million dollars worth of stocks before the breach incident was publicly reported. And a large-scale incident would ruin a company’s reputation for a long time, if not permanently, so not reporting it at all would be beneficial to them.
With the way it is going, data breaches will become more and more common, and something needs to be done. And that probably involves clear regulations when it comes to breaches. After all, it is our data that is in the center of it all.