Identifying and Reporting Data Breaches

No news is often good news, but when an organization experiences a data breach, no news — meaning failure to report the breach — is very bad news. Not only is not reporting a breach illegal in many cases, but it may also deprive a company’s clients or vendors of the chance to minimize the impact of the exposed data. The ensuing fallout can also damage client trust and brand reputation. With so much at stake, experts say that knowing how to recognize and report data breaches are crucial pieces of strong data security protocols.

Data Breach: How Does It Happen?

Although criminal hacks of large databases grab the biggest headlines, data breaches can take many forms. These include:

• Data accessed or deleted by an unauthorized third party.
• Deliberate or inadvertent alteration of data by an authorized user.
• Personal data shared with the wrong person, such as sending an email to the wrong address.
• Loss of a device, such as a laptop or cell phone, that contains personal data.
• Personal data unintentionally exposed on a company’s website or social media.
• Theft of login data.
• Confidential data distributed to a mailing list.
• Exposure of email addresses by using the CC, rather than BCC, function.
• Employees tricked — via email phishing or during a phone conversation — into revealing confidential data or downloading malware.

Given how many ways data can be exposed, it’s not surprising how common breaches have become. In 2020, criminal action exposed 37 billion records, according to RiskBased Security’s 2020 Year End Data Breach QuickView Report — “by far the most records exposed in a single year since RBS reporting began in 2005.”[1] These breaches are costly, too. In 2020, the average cost of a data breach was $3.86 million and the average cost per record was $146, according to Ponemon Institute’s Cost of Data Breach Report 2020.[2]

The threat is now so pervasive that experts assume every company will experience a breach at some point.

Data Breaches Can Be Hard to Identify

If a data breach happens to your organization, will you know it? That’s not a trick question. Studies show the average time it takes for companies to discover a data breach is almost 280 days.[3] Given that experts recommend responding to a breach as quickly as possible, a delay of more than six months is a serious problem. Some breaches are obvious — clients calling to report confidential information visible on your website, for example — but many go unnoticed if people aren’t trained to recognize the signs.

Although there is no single, foolproof way to spot a breach, some common warning signs should prompt further investigation. These include:

• Unfamiliar software or processes on one or more computers.
• Frequent crashes.
• Unusual user-related activity, such as logging in from new locations, logging in at off times or logging in from several locations within a short time.
• Sudden and/or unexpected system lockouts, password changes or changes in group memberships.
• Unusual activity during internet browsing, such as redirection to other sites or numerous pop-ups.
• Significantly increased network or system activity.
• Word from clients or vendors that they are receiving questionable emails or social media posts from you.

When it comes to a data breach, time is money. Experts recommend investigating potential breaches as soon as possible to minimize the possible costs.

Patchwork of Reporting Laws

If you do confirm a data breach, then what? One option is to report the breach; nothing legally limits your organization’s ability to do so. Some companies believe transparency helps them earn client trust. Others, meanwhile, say what clients don’t know won’t hurt them, particularly if the breach is small and/or no personal information was compromised.  

But you will not always have a choice. All 50 states (as well as the District of Columbia, the Virgin Islands and Puerto Rico) have laws requiring data breaches be reported in certain situations. The patchwork nature of these laws can make it challenging for companies to comply, particularly if they operate in several states; laws don’t always apply universally. Whether a breach must be reported may depend on:

• How many records were affected: A breach of a handful of files is different from a breach of many thousands of files.
• What kind of data was affected: A breach of medical data or Social Security numbers is more serious than email addresses.
• Where the breach happened: The law may only apply to people in a certain area, for example.
• What industry you’re in: The Health Insurance Portability and Accountability Act (HIPAA), for example, requires healthcare providers to report breaches involving 500 or more individuals within 60 days.[4]
• How the breach happened: A clerk accidentally sending the wrong medical chart is not the same as a criminal breach of thousands of records.

In addition, don’t shrug off the European Union’s General Data Protection Regulation (GDPR) on the grounds it doesn’t apply to your organization. The regulation applies to any entity holding data related to European citizens, so if you have European customers, that means you. Failing to report a data breach affecting those customers could cost as much as €10 million in fines (US$11.78 million).

To ensure compliance with all the data breach laws that may apply to your company, experts suggest:

• Mapping the laws that apply to your business.
• Documenting the breach reporting requirements of those laws.
• Following the most stringent law any time more than one law applies.
• Creating a policy formalizing your reporting process.

Reporting a Data Breach 

If you determine you have to report a data breach, the next two questions are: How do you report the breach and to whom?

It depends. Different laws have different reporting requirements, but some general principles shape them all:

• Once a company is aware of a data breach, the clock starts ticking. For example, while the California Consumer Privacy Act (CCPA) requires reporting in the “most expedient time possible without unreasonable delay,”[5] GDPR gives companies 72 hours and New Mexico, per its Data Breach Notification Act, grants companies 45 days to report a breach if it affects more than 1,000 residents.[6] But all laws require reporting within a specified time. That said, you may have more time to report a breach to customers than you do to report it to regulators.
• The authorities must always be informed of breaches, though which ones may vary. You may be able to report a breach to local law enforcement, though not all may have expertise in the area. If they don’t, contacting the FBI or Secret Service may be a better bet. GDPR requires reporting the breach to the Information Commissioner’s Office (ICO). And depending on the content of the breach and the nature of your business, you may have additional requirements. A publicly traded company, for example, may need to notify the Securities and Exchange Commission (SEC).

In addition to the authorities, you may also be required to report the breach to the media and to the people affected.

The Bottom Line

Data breaches are disruptive and costly, and adding the intricacies of reporting can be intimidating and frustrating. However, the price of not reporting can result in steep fines and negative publicity. If you’d like to avoid that scenario, train your staff to watch for signs of a breach, familiarize yourself with applicable reporting laws and take action at the first sign of trouble.

[1] “2020 Year End Data Breach Quickview Report,” RiskBased Security

[2] Cost of Data Breach Report 2020, Ponemon Institute/IBM Security

[3] Ibid

[4] “Submitting Notice of a Breach to the Secretary,” U.S. Department of Health & Human Services

[5] California Consumer Privacy Act, California Legislative Information

[6] New Mexico Data Breach Notification Act, New Mexico Legislature