Incident response

When and how to report a breach: Data breach reporting best practices

Susan Morrow
September 3, 2020 by
Susan Morrow

One day you go into work and the nightmare has happened. The company has had a data breach. This scenario plays out, many times, each and every day, across all industry sectors. In 2019, cybercriminals were hard at work exposing 15.1 billion records during 7,098 data breaches.

When you walk into work and find out that a data breach has occurred, there are many considerations. One of these is when and how do you go about reporting a data breach

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

What should a company do after a data breach?

You mean feel like you want to run around screaming when you hear about a data breach, but you shouldn’t. How to deal with a data breach should already be part of your security policy and the next steps set out as a guide to keeping your sanity under pressure. 

Each organization will have its own set of guidelines on dealing with breached data, be that maliciously or accidentally exposed. But typical steps will involve:

  1. Knowing what has been breached and how: This may take some time, but you need an understanding of the root cause of the breach and what data was exposed
  2. Clean-up operations: From the evidence you gather about the breach, you can work out what mitigation strategies to put in place
  3. Communication: You will need to communicate to staff and any affected individuals about the nature and extent of the breach. More importantly, you will have to inform affected individuals about what data has been exposed, particularly regarding Personally Identifiable Information (PII) or Protected Health Information (PHI)

An important note on communication and breach notification

Official notification of a breach is not always mandatory. The rules on data breach notification depend on a number of things:

  1. The extent of the breach, i.e., how many data records were affected
  2. The type of data, i.e., what type of data was exposed
  3. The geography of the breach: Some data protection laws only apply to certain geographies or certain users in a given geography
  4. The industry it occurs in, i.e., industry-specific rules on data breach notification

Some examples of data breach notification requirements

The decisions about reporting a breach comes down to two things:

  1. Do you have to report the breach under the given rules you work within?
  2. Does your organization have a policy of transparency on data breaches, even if you don’t need to notify a professional body?

Before discussing legal requirements on breach notification, I’ll take a look at transparency.

There is no right and wrong when it comes to making a policy decision about reporting minor breaches or those that fall outside of the legal remit to report. This is a decision a company makes based on its profile, customer base and ethical stance. Some argue that transparency is vital to maintain good relations with customers: being open, even about a bad thing, builds trust. Others argue that what you don’t know doesn’t hurt you.

If you do notify customers even without a legal obligation to do so you should be prepared for negative as well as positive responses. However, lessons can be learned from other organizations who decided to stay silent about a data breach. For example, Uber attempted to cover up a data breach in 2016/2017. The breach was eventually exposed to the press and the end result was a regulatory non-compliance fine of $148 million, very bad publicity and a loss of trust in their data protection approach. Also, two security team members were fired for poor handling of the data breach. 

Reporting a HIPAA breach and the OCR

The HIPAA Breach Notification Rule (BNR), applies to healthcare entities and any associated businesses that deal with an entity, e.g., a health insurance firm. The BNR reflects the HIPAA Privacy Rule, which sets out an individual’s rights over the control of their data. The Privacy Rule covers PHI and there are 18 types to think about, including name, surname, zip code, medical record number and Social Security Number.

The Breach Notification Rule states that “impermissible use or disclosure of protected health information is presumed to be a breach”. However, the BNR adds caveats to this definition if the covered entities can demonstrate that the PHI is unlikely to have been compromised. To determine this, the rule sets out several criteria which form a risk assessment guide to cover the situation:

  1. To what extent has the PHI been exposed and the likelihood the exposed data could be used to identify a patient
  2. Who exposed the data, i.e., was this an accidental leak (for example, a doctor gave the wrong nurse a patient’s details) or a cybercriminal targeted attack?
  3. Was the PHI taken or only viewed?
  4. What mitigation efforts in protecting the stolen PHI have been put in place?

Further notification criteria when reporting a HIPAA breach:

  • Covered entities (business associates) must be notified within 60 days (ideally less, so they have time to send notices out to individuals affected)
  • Notification must be made to affected individuals within 60 days of discovery. The notice must contain certain relevant details, including description and date of the breach, types of PHI affected and how the individual can protect themselves from further harm
  •  HHS.gov must be notified if the breach affects 500 or more individuals. To make notice, an organization must fill out an online form on the HHS website. If the breach affects fewer than 500 individuals, companies can do an annual notification to HHS
  • The media must be informed if the breach affects 500 residents of a state or jurisdiction

Once a breach notification under HIPAA has been made, the breach details are added to the “Wall of Shame,” aka the Office of Civil Rights (OCR) portal that displays OCR reporting of all PHI breaches affecting over 500 individuals.

Federal data breach notification laws

The US has a mosaic of data protection laws. However, most states, including the District of Columbia, Puerto Rico and the Virgin Islands, now have data protection laws and associated breach notification rules in place. Any organization working in the US must understand the laws that govern in that state that dictate breach notification.

An example is the South Dakota data privacy regulation, which took effect on July 1, 2018. The rules on reporting of a data breach in the state are:

  1. If the data breach affects more than 250 individuals, the report must be done using email or by post
  2. The notification must be made within 60 days of discovery of the breach
  3. If a notification of a data breach is not required, documentation on the breach must be kept for 3 years
  4. The regulation provides a “Harm Threshold” — if an organization can demonstrate that the breach would not likely harm the affected individuals, no breach notice will be needed
  5. The Attorney General must be notified if the breach affects more than 250 South Dakota residents

Many of the data breach notification rules across the various states are similar to the South Dakota example.

California data breach notification law and the CCPA

California has one of the most stringent and all-encompassing regulations on data privacy. The California Consumer Privacy Act (CCPA) came into force on January 1, 2020. The law applies to for-profit companies that operate in California. Other criteria are required for the rules of CCPA to impact a business: for example, an organization has annual gross revenues over $25,000,000. The CCPA covers personal data — that is, data that can be used to identify an individual. This Includes name, Social Security Number, geolocation, IP address and so on.

California also has its own state data protection law (California Civil Code 1798.82) that contains data breach notification rules. The CCPA leverages the state data breach notification rule but makes an amendment on the timescale to notify authorities about a breach discovery. The CCPA specifies notification within 72 hours of discovery. This is in contrast to the California Civil Code 1798.82, which states a breach notice must be made in the “most expedient time possible and without unreasonable delay”.

It is worth noting that the CCPA does not apply to PHI covered by HIPAA.

To notify or not to notify: Is that the question?

When making a decision on a data breach notification, that decision is to a great extent already made for your organization. To ensure that your business does not fall through the data protection law cracks you must be highly aware of the regulations that affect your organization in terms of geography, industry sector and operational reach (including things such as turnover). To ensure compliance with the regulations on data breach notification expectations:

  1. Map the regulation to your organization — which laws fall under your remit to comply with?
  2. Document the data breach notification requirements of the regulation(s) that affect you
  3. Is there overlap between regulations if you are affected by more than one? If so, use the most stringent as a baseline for policy creation
  4. Create a policy around the breach notification rule that affects your organization Document the requirements along with the process and procedures to meet those requirements in the worst-case scenario. Create model notification letters and emails to call upon
  5. Have a clear communication strategy that has been passed through legal and PR

A data breach will always be a stressful event. But if you are aware of your obligations in making a data breach notification you can mitigate this stress and hopefully avoid the heavy fines that come with non-compliance.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Sources

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.