It’s fair to say that 2014 was the year of the data breach.
That’s backed up by PwC’s Global State of Information Security survey of almost 10,000 business and IT executives, which shows the number of incidents detected up 48 per cent on last year to 42.8 million worldwide.
If that in itself isn’t worrying, then what should really be making businesses across Europe sit up and take note is the new EU General Data Protection Regulation (EU GDPR) looming on the horizon.
Put simply, if this update to European data protection laws is implemented in line with the current draft version it will be a game changer for data breach reporting. There are still plenty of hoops to jump through before that happens. The member states are still at loggerheads over several key parts of the proposed legislation and it currently looks unlikely agreement will be reached before 2016. Even after that there will then be a two-year transition period for individual countries to implement it at a national level.
However, the latest proposal would make it mandatory for companies to report a breach of personal data to the supervisory authority “without undue delay and, where feasible, within 72 hours”. It’s important to note here that this isn’t about the reporting of all security breaches in an organisation. The legislation specifically applies only to personal data breaches that might lead to “physical, material or moral damage” to individuals, such as identity theft, financial loss or damage to reputation.
And this will be backed up by stiff penalties. According to the current draft, failure to comply with the EU GDPR could lead to fines of up to €100m or five per cent of annual turnover.
Here at Intel Security we commissioned a survey by Vanson Bourne of 450 IT decision-makers across eight major European countries and the US (because the EU GDPR will cover non-EU companies operating in the EU or transferring data across its borders) to find out how prepared companies are.
Only 35 per cent in the Vanson Bourne survey said they have the capacity to report a breach within 72 hours. The average was eight days and a fifth admitted it would take them between two weeks and a month. There are variations across countries, however. In the UK some 54 per cent of companies claim to be able to report a breach within 72 hours, while in Spain and Italy that is just 22 per cent and 20 per cent respectively. And across the whole survey there’s an extremely worrying seven per cent in the ‘don’t know’ category.
There are also other reasons why companies can’t – or won’t – meet these regulations. In our survey 34 per cent said reporting a breach is too expensive, while 30 per cent even admitted they would rather risk a fine than report a breach because of the “stigma” and bad PR that would come their way. And that really isn’t a factor to underestimate.
All this means organisations will need to place greater emphasis on building privacy into processes and data life cycles, along with audits and privacy impact assessments. It also means having internal data breach incident response procedures agreed, rehearsed and locked down – a topic I’ll be exploring in more depth in a future post.
Technology also offers a way of helping organisations prepare for the EU GDPR by ensuring stronger data protection. For example, as it stands the EU is proposing lighter consequences when data that has been compromised has been encrypted or safeguarded by “appropriate technological protection measures.” In this case there would be no mandatory obligation to report the breach to the authorities or the individuals affected.
So how ready is your organisation for these changes? How confident are you about how quickly your company could both detect and then report a personal data breach to the regulator and the individuals affected?