Per IBM Security and the Ponemon Institute’s 2019 Cost of Data Breach Study, there was a 130% increase in data breaches from 2006 to 2019. A data breach is a security incident or a cyberattack that allows cybercriminals to gain access to sensitive, protected, or confidential data. All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached.
The General Data Protection Regulation (GDPR) effective from May 25, 2018, established a mandatory data breach notification requirement throughout the EU.
How e-InnoSec helps clients:
- Advice and assist in developing a framework for effective data breach notification legislation
- Advice on the timing of notification considering various regulatory requirements
- Advice about the method and content of the notification
- Advice about immediate steps to be performed post data breach
- Advice about notification to authorities
- Assess existing breach notification processes
- Assess breach management framework implemented by the client and perform a gap analysis
- Provide recommendations
- Test the process and identify gaps
- Assist in monitoring the program to ensure sustainability and effectiveness
Notification obligations vary widely from country to country and within the United States from state to state. For example, laws often differ in:
- Personal data definition
- Defining breach event management
- Trigger for notification
- Who must be notified (individual, government, etc.)?
- The timing, format, contents, and method of delivery
- The exceptions and exemptions to the notification obligation
- The penalties and rights of action for failure to provide timely notice.
- Though some regulations like GDPR provide the EU wide guidelines for the above.