With the recent Equifax data breach that put 145.5 million people at risk, there is a lot of discussion about cyber regulations. Equifax got a lot of criticism over how it handled the incident and for how long it took them to inform people that their data has been accesses by hackers.
Europe’s new regulations
The new General Data Protection Regulation, GDPR in short, that goes into effect in May 2018, will introduce new laws on how personal data and data breaches should be handled. It aims to give control over their personal data back to the citizens. It also ensure that people will be informed of a breach shortly after the incident takes place.
Companies will be obligated to report an incident within 72 hours of discovery. Failing to comply with this will result in them having to pay a fine equaling to 4% of their global revenue or 20 million Euros. And it is not just European companies that will have to act in accordance with these regulations. Companies outside Europe will also have to oblige if they handle European citizen data.
This will force some American companies to revise how they handle customer data. And once they come up with infrastructures that can handle customer information in accordance to the European law, it is unlikely that they will treat American citizen data differently.
The new regulations are not without questions. The time frame of 3 days has caused some confusion on when exactly the time will start ticking. And it is also pointed out that data breaches are not always kept a secret because of self-interest.
Why delay in data breach disclosure happens
There are quite a few reasons on why a data breach would be withheld from the public for some time, and it may not be solely because of a company’s self-interest. The law enforcement agency that is cooperating with the company may not want to ruin the investigation by revealing too much too soon. Or the full scale of the incident may not be known, and companies want to wait until they have all the facts before they cause panic. But on the other hand, if your personal information was in a data breach, you have a right to know.
“My general experience is it takes multiple days or weeks to really get your arms around what has happened and to balance this against what the adversary is going to do with the data,” Michael Daniel, president of the Cyber Threat Alliance, told NBC News. “The return on the value of the data decreases rapidly, but on the other hand you also very frequently learn a lot more when you really dig into the forensics.”
That is not to say that self-interest does not play a role in this. High-ranking Equifax executives, for example, sold 2 million dollars worth of stocks before the breach incident was publicly reported. And a large-scale incident would ruin a company’s reputation for a long time, if not permanently, so not reporting it at all would be beneficial to them.
With the way it is going, data breaches will become more and more common, and something needs to be done. And that probably involves clear regulations when it comes to breaches. After all, it is our data that is in the center of it all.