One feature of GDPR is the obligation to contact all people affected by a data breach (in certain circumstances).
While this is new for most EU countries, the USA has enforced comparable legislation for some time – nearly all the states have laws requiring data breach victims be informed. There are crossover federal laws too, depending on which sectors you operate in (HIPPA and the Gramm–Leach–Bliley Act are two examples, for healthcare and finance respectively).
I recently took part in a panel discussion at the Nashville Chapter of The International Association of Privacy Professionals, where I was drafted in to talk about GDPR (General Data Protection Regulation).
As GDPR is not yet tested in the EU Courts, we can look for precedents from across the pond.
Some states insist on informing customers directly
California, for example, imposes large fines and insists that data breach victims are contacted quickly and personally. This can incur massive costs:
- A letter to a customer costs say, 50 cents for the letter, 50 cents for the stamp. So that’s $1 dollar for every customer involved in the breach.
- An emergency call centre to handle calls from worried individuals can run into hundreds of thousands of dollars (especially if you need services to be multilingual).
- Credit monitoring and related identity services on an on-going basis are not a strict requirement in all states, but many companies do use them, in the hope it will curry favour with the regulators handing out fines. Costs for such services can be estimated at around $10-15 per person per year.
The costs of informing your customers directly can be enormous.
But it is perceived as the most respectful thing a company can do for its customers, and generally looked on as a mitigating action by regulators and Attorney Generals.
Circumstances that allow informing customers indirectly
Other states and circumstances allow breached companies to contact customers indirectly.
Where a company doesn’t hold its customers’ addresses, for example. If they only have card details from over-the-counter retail transactions, it is generally permitted to tell customers via a public announcement, by advertising or public relations efforts.
Under GDPR, in some cases public announcements may be acceptable. But as ever, when it comes to data breaches, you can expect the press to be brutal.
Then there’s the lawsuits
In June 2017, Anthem Inc., the second largest healthcare insurer in the US, settled a class action lawsuit for $155million, setting a world record for a data breach. The sum includes $38million in lawyers' fees.
The Anthem settlement makes Sony’s $15million settlement look like chicken feed – and they got to pay their compensation in PlayStation games too.
Yahoo is still facing 23 class action lawsuits over two years after their initial breach and according to Business Insider, this caused problems amid its takeover by Verizon.
What are American companies doing to protect themselves?
5 main steps that companies are taking towards mitigating risk
Even though Anthem Inc. was under no legal obligation to have their data encrypted, the lack of encryption still formed a substantial part of the class action suit against them.
Social security numbers and birth dates were not encrypted: two pieces of highly valuable information to identity thieves. Given that this breach came after several other high profile cases, the lack of encryption was treated brutally in the media.
Unsurprisingly, lots of companies are now being proactive in this area.
Storing all your customer data on one server is practically putting your hand out and asking for a big fine.
It’s important to separate data so that a breach only loses a portion of customer records, not everything you have. Equally important is making sure that data access is privileged to staff who have a direct need for it.
Protect yourself from the ‘inside job’ and make life harder for hackers at the same time.
Phishing scam training is the flavour of the month – and not before time.
Many American companies are investing in educating their staff to spot a questionable email from an honest one. This is one of the cheaper routes to mitigating risk: so long as you can make the best practice stick, long term.
Companies are also working hard to recognise their own weaknesses and identify specific targets for awareness training, such as potential social engineering targets. Worthwhile activities include sending ‘friendly’ phishing emails internally and updating procedures accordingly.
Incident response planning
Your immediate response to an incident reduces the potential for damage, both financial and reputational. Plan for the worst in great detail, make sure everyone knows what their role is.
Making the most of your resources in a highly stressful situation will only happen with meticulous preparation and dry runs.
Don’t forget the importance of outside expertise here. For example, only the most skilled of PR operators should handle the media in a crisis situation – and in some cases, only specialist forensic consultants are able to locate and secure the breach.
If you would like help pre-planning your incident response, please get in touch.
Cyber insurance policies are much more commonplace in the USA than in Europe.
Some of the aforementioned laws have been around a long time, which means the USA is a much more mature market – GDPR will most likely see organisations based in Europe increase their appetite for cyber policies.
One of the most attractive aspects of a cyber insurance policy is fast access to experts such as media handlers, IT forensics and legal support.
Your insurer will have trusted vendors on agreed rates – you certainly don’t want to be cold calling these guys in the middle of the night when you’re desperate.
Reputational damage can be much worse than financial damage long term, American companies are well aware of the impact; European companies are catching on quick.
It’s not just huge corporates that are affected either – while big companies with deep pockets prove an attractive target for hackers and ransomware attacks, smaller companies with less sophisticated IT processes are considered easier to extort.
GDPR allows for local interpretation for specific processing activities. The full implication of GDPR may not be realised until it is tested in the EU courts – we just don’t know.