The challenges of navigating breach notification rules [Q&A]
New and updated privacy legislation is being launched around the world and a key component of these acts is breach notification requirements, which mean a business is required to notify individuals when their information falls into the hands of an attacker.
We spoke to Ralph Nickl, founder and CEO of Canopy Software to find out what what enterprises and consumers need to know about these laws and the challenges that compliance brings.
BN: How has the shift to remote work impacted organization’s security risks?
RN: The rapid and widespread shift to remote work has significantly expanded the attack surface of most organizations, and cybercriminals have taken full advantage of this. They've evolved their methods drastically, creating ways to exploit new entry points of organizations and steal sensitive information.
The bottom line? If 2020 has taught us anything, it is not if an organization will be breached, it's a question of when a breach will happen. Because of this, a shift in mentality is happening for security leaders to better understand how organizations can mitigate risk and preserve brand reputation. Not getting breached in the first place by establishing robust cyber defenses is always going to be the end goal, but cleaning up the aftermath of a breach is now just as important as preventing it.
This reality has been compounded by an enhanced focus on consumer privacy rights and the continued increase of data privacy laws. Data breach fatigue is real, but no one wants to shun corporate responsibility. Moving forward, legal teams must place greater priority on strategies and tools that allow them to meet post-breach requirements under both the law and consumer expectations in order to succeed in the new normal.
BN: What do companies need to know about breach notification laws?
RN: Every state in the United States has legislation in place that requires private and government entities to notify individuals of security breaches involving their information -- and these requirements expand to other countries under GDPR and other privacy acts. Identifying and understanding the laws your organization has to remain in compliance with is step number one. This requires understanding where the people reside for whom you maintain personal information -- just because you are based in a certain state does not mean you only have to comply with that state's laws. You’re required to comply with any states' law where your customers live.
The second step is making sure you're aware of the differences in each law and ensuring that your company remains in compliance with them based on your given situation. For example, each state's laws have specific and varying provisions regarding who must comply, how personal information is defined, what constitutes a data breach, requirements for notice, exemptions and more. It can be a lot to digest, but this is an important step to take to proactively prepare for incident response.
BN: What are some common obstacles organizations face when notifying users of a data breach?
RN: The main obstacle that most organizations face is the race against the clock -- the time it takes to get from Point A (detecting a breach) to Point B (identifying who was affected and notifying them).
This is a serious challenge considering each state's law requires impacted individuals to be notified within strict time periods. For example, some states require you to notify affected individuals with 30 days -- a tall task to tackle given the wealth of information and documents that must be sifted through during the post-breach process.
In line with the time obstacle is how expensive and resource intensive it is to review all of the information involved in a common data breach. There are copious amounts of documents, emails and databases compromised in a normal breach, making the review process tedious and difficult to carry out efficiently. In particular, it is cumbersome for teams to segregate documents that contain reportable protected data from business and personal documents created in the everyday course of business.
The largest obstacle is pulling together accurate finalized entity lists and actually notifying impacted individuals. This is a difficult process without the right technologies and processes in place. When sifting through such a large amount of data, it becomes difficult to detect protected data, extract it, and then link it back to the correct affected individual.
BN: How can organizations be more effective during the breach notification process?
RN: The data breach response process has become a necessity with how sophisticated threat actors have become, making it imperative for organizations to make breach notification an integral part of their incident response planning. Following a breach, there is a ton of data to sift through, but there are ways to make the process quick, painless and efficient. To achieve this, organizations have to operate with the mindset that they are going to be breached at some point, and have a plan in place to execute when a breach happens.
Forward thinking organizations leverage automation to mine data and classify documents to not only speed up the post-breach process, but ensure better accuracy. By adding advanced machine learning into the process, organizations are able to take care of a lot of the leg work by using technology to mine the data for personally identifiable information, rather than relying on labor intensive review processes that could take months.
By deploying automation at the forefront of breach review and notification process, incident response teams are able to become more efficient, finish more projects in quicker time periods and ultimately ensure compliance with breach notification requirements.
BN: What do you think will happen in the data privacy landscape over the next year?
RN: Over the next year, we will see more states adopt their own data privacy laws similar to CCPA as consumers shift to the mindset of owning their data and expecting organizations to respect their privacy.
With this, I expect to see a more prominent emphasis breach notification requirements as lawmakers work to ensure that organizations of all kinds are safeguarding their data to the best of their abilities. While the security industry is doing some amazing things to help businesses protect their sensitive information, breaches are going to happen, and individuals impacted have a right to understand when their information has fallen into malicious hands.