Data breaches are every organization’s worst nightmare and sometimes an unavoidable part of working with customers’ data. Customer data is essential for keeping track of performance (analytics) and is a critical component of regular business operations across industries. Still, statistics reveal that data breaches are almost inevitable, with 45% of US companies experiencing a data breach in 2021.
While you can’t stop working with customer data or guarantee that your organization won’t experience a breach, you can determine your response when a breach occurs. Discovering and containing data breaches can take time, with most organizations taking an average of 80 days to contain a breach after it’s discovered.
Once you’ve identified the breach, the first decision you need to make is how, when, and to whom to report it. This article breaks down the legal requirements for reporting a breach according to the two most commonly used privacy standards – the European GDPR and California’s CCPA.
What to Consider Before Reporting a Breach
Before you report a breach, you need to look at several factors that come into play. The first is what’s legally required of your organization by the regulatory bodies that have jurisdiction over you. The second consideration is your organization’s official transparency policy (disclosing the breach to affected parties and the media). These two factors will control your response to the breach.
While we’ll discuss your legal requirements later, transparency is less clear-cut. Some breaches are too minor to fall under legal requirements, and the decision of whether to publicize or report the breach lies in the organization’s hands. Although reporting a breach to customers can foster a feeling of trust, be prepared for adverse reactions. Not informing customers of a breach can also lead to negative consequences if the customers learn of the breach by other means.
How the GDPR Defines a Breach
The GDPR applies to any organization that stores data belonging to EU citizens. Officially, the GDPR only applies to breaches that involve personal data. The GDPR defines personal data as”:
“… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This includes publicly accessible and personal details such as their name, ZIP code, phone number, or health records.
A data breach is defined as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
These breaches usually occur when cybercriminals intentionally access an organization’s database due to vulnerabilities or employee negligence. Regardless of its cause, a data breach that puts consumers’ privacy at risk will result in regulatory action from the GDPR.
Reporting a Breach per the GDPR
Not all security incidents fit into the criteria outlined in the GDPR, so it’s essential to ensure that your incident is classified as a personal data breach. The GDPR requires organizations to report incidents to an authorized supervisory authority within 72 hours of discovering the incident, and failure to do so can result in severe consequences, including fines of up to €20 million ($20.9 million) or 4 percent of a company’s annual global turnover- whichever amount is higher. Recital 85 of the GDPR outlines some of the potential consequences for the individuals associated with the PII when a breach is not reported quickly (such as physical, financial, or emotional damage to the data’s original owner, or loss of control over the data leading to cybercrimes including identity theft, fraud, and confidentiality breaches), so assessing the situation should be the first and most urgent task on your breach’s to-do list.
Once the incident has been classified as a personal data breach, the organization must identify the proper authority to report the breach to. Companies within the EU must report to their states’ supervisory authority, as defined in article 51. In addition, organizations without an officially-established presence in the EU that have experienced a breach involving the data of EU citizens must report the incident to supervisory authorities in each state that was affected by the incident or in which they are active.
Reporting a breach can be done through private means such as sending an email to affected individuals or issuing a public statement. While the GDPR may not specifically require this, it may improve the organization’s reputation for transparency and helps affected parties respond to their information leaking.
The GDPR Data Breach Report – What Needs to Be Reported?
While notifying the relevant authorities and affected individuals is important, knowing what information needs to be included in the report is also critical. Some of the essential facts include:
- The date the breach occurred and how it was discovered
- What types or categories of personal data were impacted by the breach
- The severity of the breach – This includes the types of records that were lost and the number of users affected
- The potential impact the breach can have on affected customers
- The impact on the organization in terms of operations and services
- How long it will take for the organization to recover from the breach
- What measures are being taken to repair the breach and prevent future incidents
- The name and contact details of the organization’s Data Protection Officer (DPO) to receive additional information about the incident
- When informing customers affected by the incident, details such as the nature of the breached data and suggestions the customer can use to mitigate the incident’s damage should be shared. Additionally, depending on the industry, reporting breaches under the GDPR may include reporting the incident to other regulatory bodies, such as HIPAA, PIPEDA, and other local bodies.
How the CCPA Defines a Breach
Unlike the GDPR, the CCPA is not a national regulatory body. Instead, it’s localized and applies to the State of California. But its comprehensive and reliable status makes it a standard for regulatory bodies, and understanding its requirements is essential. The CCPA defines breaches as when:
“nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
The consequences for violating CCPA guidelines can range from penalties of $2500 per violation to a fine of $7500 for each violation committed intentionally after notice and a 30-day opportunity to repair the breach have been granted. Additionally, damages and relief must be provided to affected parties. For a data breach to fall under the CCPA’s jurisdiction, it must include personal information defined by California’s Data Breach Notification Law, Section 1798.81.5, not the CCPA. This definition is more narrow and can be defined as an individual’s first name or initial and last name, in conjunction with one or more of the following:
- Driver’s license number, ID card number, tax identification number, or any other unique identifying number issued by the government
- Social security number
- Medical information
- Health insurance information
- Account number or credit or debit card numbers with security or access codes that would allow access into the customer’s account
- Biometric data is based on physical characteristics used to identify the individual, such as fingerprint, retina, or iris image
How to Report a Breach per the CCPA
The CCPA requires businesses to protect their data with reasonable security measures. Failure to protect information that results in a breach requires that the organization notify the proper authorities as soon as possible. Organizations are required to contact any Californian residents affected by the breach, and if the incident affects over 500 residents, the state’s Attorney General must also be notified.
The CCPA has strict formatting requirements for the notice report, requiring it to be written in plain language, titled “Notice of Data Breach,” with clear and visible headings and titles, and text no smaller than 10-point type. If issuing such a report to each affected party would cost over $250,000, or if the affected individual’s number is over 500,000 or the company doesn’t have updated contact information for individual customers, the organization must implement all the following steps:
- Post clear and conspicuous information on the breach on the organization’s website for a minimum of 30 days (this can include a link to the full notice located on the home page, in large text or visibly bright colors)
- Notify major statewide media and organizations based in California and notify the California Office of Information Security.
The CCPA Data Breach Report – What Needs to Be Reported?
The report must include the following essential information:
- The organization’s name and contact information
- A summary of the incident
- Details of the categories of personal information involved in the breach
- The timing of the breach (date, date range, or an estimated date for when the breach occurred)
- Phone numbers and addresses of credit reporting agencies if the breach included social security numbers, driver’s license information, or California identification card numbers)
In these cases, organizations must also offer pro-bono identity theft prevention services for at least 12 months and provide affected parties with the information they need to utilize these services
Optional information to include:
- The measures the organization has taken to protect customers affected by the breach
- Advice to affected customers on what measures to take to protect themselves
Reporting a Breach in US States Not Covered by the CCPA
While the first response to any breach is always to secure the network and address any newly discovered vulnerabilities, most states have legal guidelines that organizations need to follow after a breach. Like the CCPA and the GDPR, notifying the relevant authorities is a legal requirement in all US states, the District of Columbia, Puerto Rico, and the Virgin Islands. Notification may involve releasing notice publicizing the breach, contacting the State’s Attorney General, and contacting law enforcement (local police, the FBI, or the US Secret Service). In some cases, all three must be contacted.
Click here for more information on what to report and to whom in each of the US states.
Other regulations don’t vary by location but by industry. For example, if the breach involves electronic personal health records, you must check if your breach falls under the Health Breach Notification Rule. If this rule applies, you will need to notify the FTC and, in some cases, the media. You will also need to investigate whether you are covered by the HIPAA Breach Notification Rule. If so, you will need to fill in the notification form to notify the Secretary of the US Department of Health and Human Services (HHS) and in some cases, the media as well.
Responding to a Data Breach
While the GDPR and CCPA are far from the only regulatory bodies that require a data breach report, their comprehensive requirements offer a great starting point. Although experiencing a data breach can feel like a significant setback, responding correctly and quickly can help mitigate the damage it causes. Additionally, implementing protective measures to guard your most vulnerable data before the breach occurs may not prevent a breach, but it can surely mitigate the damage breaches cause by preventing or reducing access to PII data.