Breach Notification: Poor Transparency Complicates ResponseIn US and Europe, Breached Organizations Too Often Don't Share Full Details
Anyone trying to make sense of data breach trends faces a transparency challenge. Too often, a lack of detail undercuts consumers' ability to assess their identity theft risk and businesses' ability to block emerging attacks or ensure that their supply chains remain secure.
In the United States, every state now has a data breach notification requirement. These exist to notify consumers in the event that their unencrypted personal data might have been exposed, not least because it can leave them at elevated risk of identity fraud.
"We just know there was a breach. But we don't know why. We don't know how. We don't know how many people were impacted."
But notification rules alone don't require organizations to detail how they got breached. In addition, many notifications include scant details about what happened. For businesses that procure software or services from others, data breach transparency shortfalls mean they might never know if a software or other service provider suffered a hack attack that might, by extension, have put all of its customers at risk.
In Congress, legislation that would require mandatory data breach disclosures continues to get introduced, and to fail. Since Joe Biden became president, however, multiple federal regulators have begun to look at implementing their own, mandatory breach-reporting rules. The Securities and Exchange Commission, for example, earlier this month opened a 30-day public comment period on its proposal to require organizations it regulates to publicly disclose cybersecurity risks and "significant incidents," among other requirements.
At the state level, only California, Colorado and Virginia have dedicated privacy laws on the books, although the Virginia Consumer Data Protection Act and the Colorado Privacy Act won't take effect until 2023. All of the laws add much stronger consumer protection, including the ability to access, change or order the deletion of most types of personal data held by businesses.
Unfortunately, data breach experts continue to see increasing transparency shortfalls, both from organizations that fall victim and from regulators. In 2020, for example, 209 consumer breach notifications lacked important details, while in 2021, 607 breaches lacked such details. So says the Identity Theft Resource Center, a nonprofit organization based in San Diego, California, that provides no-cost assistance to U.S. identity theft victims to help resolve their cases (see: Data Breach Trends: Global Count of Known Victims Increases).
"The lack of actionable information in breach notices prevents consumers from effectively judging the risks they face of identity misuse and taking the appropriate actions to protect themselves," ITRC says in its latest Annual Data Breach Report, looking at 2021 trends. "A decrease in timely notices posted by states, including one state that updated breach notices in December 2021 for the first time since the fall of 2020, also prevents consumers from taking action to protect themselves and organizations that assist identity crime victims from offering timely, effective advice."
"This is a troubling trend for us," James E. Lee, COO of ITRC, told my colleague Anna Delaney in a recent interview. "Now, more organizations are not reporting details, or not reporting the level of details that they have historically. So, in many cases, we might know that … it was a cyberattack; we just know there was a breach. But we don't know why. We don't know how. We don't know how many people were impacted. We don't know how long it took to resolve. We don't know how it was found. All of those kinds of details are very important in preparing other people to prevent similar events."
Lee also said some states' breach notification rules are better than others. For example, if you reside in Alabama and your passport number gets exposed, state law requires that you be notified. But if you're in Mississippi, there's no legal requirement that you be notified.
Privacy Rights in Europe
The three state laws offering better consumer protection are all inspired by the EU's General Data Protection Regulation, which has been in full effect since May 2018. But even in Europe, the data breach picture isn't always clear.
While organizations that suffer a breach involving people's personally identifiable information are required to inform their data protection authority within 72 hours, this information does not necessarily get made public, although a data protection authority would tend to require an organization to issue a public alert if it would help safeguard consumers (see: Privacy Fines: GDPR Sanctions in 2021 Exceeded $1 Billion).
When a DPA investigates an organization, the findings of that investigation, and any resulting fines, also do not always get made public. Furthermore, when fines do get made public, they're sometimes not classified as being levied under GDPR, but rather another regulation such as the EU's e-Privacy Directive.
Law firm DLA Piper conducts an annual survey of everyone who complies with GDPR: the 27 EU member states, the U.K., and European Economic Area members Norway, Iceland and Liechtenstein. The law firm asks for full details of those who were fined, and for how much, for the preceding 12 months. But in its most recent study, it noted that "several" countries "only provided incomplete statistics or statistics for part of the period covered."
Last year, for example, Luxembourg imposed a fine of 746 million euros ($837 million) against an unnamed U.S. online retailer and e-commerce platform, according to DLA Piper's report. More information about the fine "is not publicly available and is subject to an ongoing appeal," it says.
This and other factors continue to contribute to our unnecessarily incomplete view of the data breach picture.
Based on the information that does get reported, furthermore, all signs point to the data breach problem not getting any better. That much, at least, does seem clear.