The Real Problem with GDPR and Data Breach Reporting
Al Berman, President, DRI Foundation
While much has been written about the protection of privacy and data provided for by GDPR, both from controller and provider perspectives, the reality is that the real threat — the one that keeps cyber experts up at night — is what happens after all our preventive efforts fail and a data breach occurs. Cyber intrusion has become so common that we no longer find it to be news at all.
While GDPR uses exceedingly strong language and penalties for failure of organizations to inform, protect, and be transparent with data, that same rigor and force isn’t equally applied to data breaches caused by cyber thieves. Where GDPR is tough on corporate accidents and carelessness, it’s soft on crime.
What GDPR Says
Article 32 of GDPR states: “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
Article 33 continues with: “Data controllers are required to report a personal data breach to the competent Supervisory Authority (SA) without undue delay and, where feasible, not later than 72 hours after becoming aware of it unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects. If a notification is made after the 72-hour period has expired, the data controller must explain the reasons for the delay. It then goes on to provide information about the means and detail of reporting.”
What GDPR Actually Means
On the surface, this seems reasonable. Dig a little deeper, though and the reality of GDPR is that it allows the controller (who had the responsibility to protect your data) to determine if the breach is “unlikely to result in a risk to the rights and freedoms of data subjects.” However, a breach that could not cause damage is almost inconceivable. Without a clearer definition of which data causes risk, the controller may subjectively determine that a loss would not risk “the rights and freedom of natural persons.” This reduces GDPR to little more than a judgement call, leaving the door open for more situations like this one:
In 2017 a major credit rating agency (“MCRA”) had a breach that resulted in more than 145 million individual records being stolen. The records contained date of birth and social security numbers for almost all records, with some also containing credit card and driver’s license information. MCRA did not immediately alert the public of the breach, delaying disclosure until insiders sold their stock. Only then did MCRA announce the breach.
Additionally, under GDPR, the fact that the controller does not inform the Supervisory Authority means that other organizations may be attacked by the same cyber threat without any notice from authorities. This causes detection to come at a later time, after more damage is done.
Too Little, Too Late
GDPR takes great pains to protect the rights of persons who have willingly given information to lawful organizations for properly authorized care, penalizing those organizations heavily if they fail to comply with the due care of this information. However, once this information is compromised, the due care becomes totally subjective.
For example, if Company A sells personal data to Company B without adhering to GDPR requirements they are subject to punishing fines. But if the information is stolen, GDPR provides for discretionary disclosure by the controller, as opposed to the immediately announcing the breach so that those affected can diligently examine activities (purchases, new credit agreement, financial transactions, etc.) and detect spurious activities sooner than later.
In the current state of detection and minimizing impact after a breach, we face the daunting reality that the breach may have occurred a substantial time before it was detected. The latency or lag time (the time it takes for a breach to occur until the time it is discovered) has been anywhere from four days to more than four months. In the case of the MCRA example, the original penetration started in mid-May and was discovered in July.
There have been instances where the lag time has exceeded six months! Therefore, notifying those affected must take place as soon as possible. It should not be left to those who were unable to provide protection for the data to determine when, or if, they should notify data subjects, the notification should be mandatory and performed with due dispatch. Otherwise, it’s a classic case of the fox guarding the hen house.