Too Much or Too Little? The Risks of Under- or Over-Reporting Data Breaches
Given the complexity of data breach notification laws, companies are often found under- or over-reporting data breaches.
These data privacy and security incidents occur all the time; the 2022 Verizon Data Breach Investigations Report covers a mind-boggling 23,000 incidents and 5,200 confirmed breaches from around the world. Incidents come in all shapes and sizes—electronic, paper, even verbal or visual. They can be as simple as an improperly mailed billing statement or as complex as a highly coordinated cyber-attack on millions of consumers’ financial records. Every single one of these incidents must be risk assessed to determine if they are breaches requiring notification.
At the heart of every risk assessment is a mosaic of always-changing, ever-increasing breach notification obligations. Compliance is always a moving target, as the following list demonstrates:
- All 50 states have breach notification laws, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. This year alone, multiple states have implemented amendments or new laws regarding breach notification requirements.
- Industry-specific laws such as NAIC, GLBA and HIPAA.
- The EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, expanded the definition of personal data to include “any information relating to an identified or identifiable natural person.” This is a far broader interpretation than the U.S. definition of personally identifiable information (PII) or protected health information (PHI).
- PIPEDA, Canada’s federal privacy law, added a mandatory breach notification and record keeping amendment that went into effect on November 1, 2018 and is designed to harmonize with the more expansive view of personal data that we see under GDPR.
- Australia’s breach notification “scheme,” as it’s called, became effective in February 2018.
- CCPA, California’s very own privacy law, which went into effect January 1, 2020, requires business privacy policies to include information on consumers’ privacy rights and how to exercise them
- PIPL, China’s first comprehensive legislation regulating the protection of personal information and data came into effect November 1, 2021.
- Other countries have released mandatory breach notification laws; while others are still in the early stages – either recommending notification, or discussing future legislation.
With so many laws and so many incidents, it’s not surprising that many companies often under- or over-report data breaches. Yet doing so carries significant risk to both organizations and individuals.
The dangers of over-reporting
Some privacy professionals have the mistaken belief that by reporting every single incident they are meeting their notification obligations. The opposite is true. Failing to assess the sensitivity of exposed data and the severity of each incident to determine the potential risk of harm—and thus your obligation to notify or not—is, in fact, noncompliance and can actually harm your business.
Over-reporting data breaches can erode the confidence that customers, patients, members, partners, and others have in your ability to protect their privacy. They may wonder just how secure your business is if you continually report breaches, even minor ones. That can cost you… a lot. The number one driver of brand trust among global consumers is that a brand respects and protects customers’ data, privacy and security. Traditionally viewed as a “soft corporate issue,” protecting consumers’ privacy has a very real impact on the bottom line.
Regulators, too, may wonder what’s amiss and subject you to greater regulatory scrutiny. Before the GDPR came into effect in May 2018, the Irish Deputy Data Protection Commissioner warned that data controllers must perform a risk analysis before making a notification and that controllers who over-notify could face enforcement action. Despite this advice, the UK Deputy Information Commissioner reported that the ICO received approximately 500 calls a week to its breach reporting line.
Under-reporting is dangerous, too
Equally risky is under-reporting data breaches. By missing notification requirements, organizations may face significant fines and penalties. WhatsApp was fined $255 million for a series of cross-border data protection infringements under the General Data Protection Regulation (GDPR). And Amazon, received one of the biggest GDPR fines to date at $847 million for failing to disclose a massive cybersecurity breach to investors.
As with over-reporting, failing to notify diminishes consumer confidence and thus can take a financial toll. Regarding the trust issue, Michael Lyman, senior managing director at Accenture Strategy, said, “Our research proves that no company is immune to the impact of a drop in trust on the bottom line. U.S. companies must adopt a top-down culture that fully bakes trust into the company’s strategy, operations and broader DNA. Those who don’t are putting their future revenues at risk.”
Under-reporting is like sticking your head in the sand—just because you don’t report, doesn’t mean there are no breaches. And organizations with a low volume of incidents may simply not be detecting all their incidents. But ignorance of the law is not a defense, and aside from running the risk of failing to report something that should be reported, these companies are also missing out on opportunities to identify areas for potential improvement and training to reduce future breach risks.
Is accurate, compliant privacy reporting even possible?
Often, organizations have inconsistent, manual processes for breach determination that are subject to human bias and interpretation. Add that to the complexity of notification laws and the high volume of incidents, and it’s no wonder that so many privacy professionals miss the mark when it comes to reporting data breaches.
That being said, it is possible to report only the breaches that need to be reported in accordance with regulations—nothing more, nothing less. Instead of manual, ad-hoc processes, organizations need to adopt a method for incident management that is:
→ Consistent for all incident types
→ Automated to ensure timeliness and accuracy
→ Multi-factor—e.g., weighs data sensitivity and incident severity to determine likelihood of harm
→ Defensible, with documentation to support the decision to notify or not notify
→ Updated with the latest state, federal, international, and industry regulations to ensure compliance
→ Scalable to support a growing number of incidents
Reporting doesn’t have to be ad-hoc or painful. The right software tool can take the subjectivity and inconsistency out of the incident management process, so you can ensure proper, compliant notification to the right people at the right time.
Related reading:
- PIPEDA’s New Mandatory Breach Notification and Recordkeeping Requirements: How Do They Compare with the GDPR and U.S. Regulations?
- Scaling the Privacy Program: Technology Eases Change Management for Fortune 20 Company