How and When to Inform Website Users of a Data Breach
Data breaches don’t wait for a convenient time to strike. They sometimes take months to uncover. They are complicated beasts, but once you’ve uncovered them some complex rules kick in that determine when you need to report the breach.
Reporting a breach can be a daunting prospect. You’ll need to make a public statement in most cases, you may need to report the breach, and there may be legal requirements.
Article 33 of GDPR states that where feasible, the “supervisory authority” must alert users of a data breach within 72 hours. GDPR is a good guideline for most online businesses because we operate worldwide. The FTC has no such guidelines, but states have adopted regulations aimed at informing and protecting consumers in the event of a data breach.
It’s not always clear when you need to inform consumers a breach has occurred, what a breach means, and how you plan to fix the problem.
This article is aimed at helping you create that plan should the need arise.
Table of Contents
What is a Data Breach?
The FTC and GDPR guidelines are mostly in agreement about what constitutes a data breach, in that both guidelines believe consumer personal data is the prime target. The GDPR goes a step further, defining a breach as follows:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
In short, a breach is about theft of personally identifiable information.
When is a Data Breach a Breach?
If we take this definition at face value, a breach is not always easy to determine. What if the incident involves a laptop with PID encrypted? Should you disclose a breach if you were able to remote wipe the data and contain the threat?
To be clear, it’s always best to consult with a legal professional when dealing with data breaches, even if to ask whether it’s ok to disclose or not. But a breach means stolen information.
Yes, that can include CCing when you meant to BCC.
Protip: Use the Uptime.com free Domain Health Tool to quickly check your infrastructure.
You need to disclose a breach when information was lost or stolen. How that is defined is highly dependent on circumstances. There may be times where determining what qualifies as a breach involves a call to a legal professional.
Defining a Plan to Disclose a Data Breach
A lot has to happen in a very short period of time after a breach is discovered. It’s crucial that everyone is on the same page, and that those with access to data that can assist with an investigation cooperate.
The first step is to conduct such an investigation. Forensics may be involved at this stage, and one of their top priorities is preservation of data. They want to know what was lost, the state of company infrastructure at the time of the loss, and an accurate count of records.
They may take specific steps with hardware, such as snapshots of RAM to determine programs running at the time of the breach. They analyze these snapshots and review the data to create a “digital fingerprint” of files (or portions of files) used or stolen in the breach.
You will need to inform relevant regulators based on the 72-hour timeframe that GDPR defines. In the US, some states allow more time or use “as soon as possible” to allow businesses some leeway in reporting. This checklist from the EU will assist in determining whether your site is GDPR compatible.
Be specific about the data that was stolen, and prepare a plan that doesn’t just assure people you’ve fixed the issue. Create a path toward a more secure infrastructure and learn from the outcome of the investigation.
Like what you’re reading? Add the Uptime.com blog to your favorite RSS reader, so you’ll never miss a post.
What does a Data Breach Notification Contain?
Once again, it’s best if we rely on GDPR rules for this, since they most clearly spell out what officials expect to see. At a minimum, companies are expected to report:
The Nature of the Breach
In short, this section of the report details what was stolen, and includes approximate estimates and data records. This is the “numbers” section, and is where most of the bad press is generated. It’s best to just be open about what was compromised. Your next sections will help you save some face.
It’s important you assign a company Data Protection Officer, which we’ll discuss more in a bit.
The nature of the breach describes the consequences of the breach for the consumer. What was stolen, and what should consumers expect to do now that this breach is out in the open?
Determine a Plan
How do you intend to stop losing records, prevent future breaches and take measures to mitigate losses? How you beef up your infrastructure is up to you, but some basic tips involve:
- Audit your data: keep only what you need and stop collecting any info you don’t
- Updates: update your security software, operating systems, and other components
- Educate your employees: how to send data, use secure connections, and more
- Destroy old data: don’t just recycle. Destroy old data then get rid of old components
DNS failure can signal a data breach.
You should also monitor the key points of failure that signal a data breach. Transaction checks can test forms that hackers can coopt, and DNS or SSL failures can be signs of an unsafe shopping experience. Creating a sound monitoring system that catches these initial signs of intrusion will help your team stay proactive in breach situations.
Reporting a Breach?
Ideally, you report a breach whenever a breach occurs. Under GDPR, a breach is considered user focused and it deals with their personal data in most cases. If customer data was lost, it’s almost certainly something you need to report.
GDPR guidelines say that report must be submitted within 72 hours of a discovery of a data breach.
When and How to Report
Here is where a split occurs. Up to now, we’ve primarily discussed GDPR and its regulations. The FTC has no such regulations, so for all intents and purposes it’s best to follow GDPR guidelines if you’re doing business in relevant countries. For instance, in DC the guidelines state:
The notification shall be made in the most expedient time possible and without unreasonable delay…
Other states use language that suggest you report the breach as soon as you’re able. American restrictions are a bit more business friendly, you could say.
That said, it’s best to follow GDPR guidelines if you do business in countries where it applies. Fortunately, most companies that follow GDPR have easy download forms you can fill out in the event of a breach. In most cases, post mail or fax is a suitable method of giving notice as well.
As the US has no federal guidelines, it’s best to check with a legal professional to see what state obligations may apply to your business.
Your Data Breach Plan
The clock starts ticking the moment a breach is discovered, and every minute counts. The most crucial steps when a breach occurs are to investigate and detail a plan of action. The investigation usually uncovers the number of records lost and provides more detail on what happened.
Breaches aren’t about convenience. They can be a horrible reality check, but securing your infrastructure is necessary in the digital age. If you’re in a position where data is lost, take the moment seriously and improve.
Minute-by-minute Uptime checks.
Start your 21-day free trial with no credit card required at Uptime.com.