In an October 2016 data breach, the email addresses, phone numbers, and names of 57 million customers and personal information of approximately 7 million drivers was stolen from Uber. Although the company immediately worked to secure the data and prevent further unauthorized access, the data breach went unreported to authorities and victims for more than a year, with the company finally coming forward toward the end of 2017. Uber has openly stated that it mishandled the situation, but the attack and response raises the question: How long do companies have to notify regulating bodies and those affected when a data breach occurs?
You’ve Been Breached, Now What?
If a data breach occurs, it is essential to quickly work to contain and recover from the attack to minimize losses. Your company needs to be able to swiftly enact its incident response plan, which should include conducting network forensics to determine the breadth and scope of the attack, taking steps to further protect your infrastructure, working with authorities, and notifying those affected of the breach. How long you have to undertake the latter differs depending on your industry, geographic location, and the originating location of the compromised sensitive data.
- The new General Data Protection Regulation (GDPR) holds companies to a strict 72-hour window to inform the applicable supervisory authority but doesn’t specify when victims must be informed.
- The U.S. Health Insurance Portability and Accountability Act (HIPAA) sets a 60-day window to notify federal authorities and affected individuals for a breach that impacts 500 or more people.
- The U.S. Gramm-Leach Bliley Act (GLBA) simply states that a company must inform those affected "as soon as possible".
These examples offer only a small sampling of the regulatory stipulations for notification. State laws, such as those in California and New Mexico; regulatory bodies, such as the Securities and Exchange Commission (SEC); and international requirements might be applicable. It is your company’s responsibility to be aware of the compliance requirements for your industry, location, and data handling.
The Optimal Notification Window
With so many different regulations, it can be difficult to know the right time to inform those affected by a breach. Obviously, notifying authorities quickly not only helps in containing an attack and perhaps finding the attackers, but it also provides evidence of the corporation acting responsibly. When notifying those affected, the bottom line is that businesses must balance between alerting victims too soon and too late. It's a delicate matter of collecting reliable and concrete information about a breach, working within regulatory requirements, and informing users in a timely manner.