The Risks and Legal Implications of Failing to Disclose a Security Breach

In today's digital age, the responsibility of companies extends beyond merely preventing cyber threats. It also involves knowing how to respond effectively in the event of a security breach, which is more of an inevitability than a possibility. With an always-evolving landscape of cyber threats, businesses of all sizes and across all industries need to be prepared for potential security incidents. This preparation often takes the form of a robust incident response (IR) strategy, a critical element in the cybersecurity framework of any company.

An IR strategy doesn't just involve quick detection and remediation of security threats. A crucial yet often overlooked component of a successful IR strategy is breach reporting and communication. This aspect ensures that all relevant parties - from within the organization to external entities such as customers, partners, and even regulatory authorities - are promptly informed about the incident.

The importance of breach disclosure goes beyond good security hygiene. Breach disclosure is not only an ethical duty but a legal requirement, especially given recent regulations focusing on the practice. With data protection laws tightening across the globe, companies must factor in these regulations and compliance concerns into their IR strategy.

The responsibility of having a breach disclosure policy in place may be a surprise to some organizations. Our 2023 Cybersecurity Assessment report found that 42% of respondents were asked to keep a breach confidential. Not only is that poor practice for the purposes of an effective recovery, it may be legally compromising and non-compliant.

In this article, we’ll go over what effective breach disclosure looks like and why it’s becoming more of a necessity.

Why breach reporting is important

The importance of effective communication and timely notice about breaches cannot be overstated. They’re necessary for facilitating effective remediation and recovery while also being necessary for compliance and regulatory reasons. Here’s how these benefits break down.

How breach disclosure aids remediation efforts

Prompt breach reporting notifies all affected parties, both internal and external and mobilizes them as well as key stakeholders who are involved in recovery and remediation efforts, depending on the nature and scope of the attack or compromise. For instance, if your organization is breached via a third-party, you must be alerted at once to prepare and protect your business. Similarly, if a breach in your system could affect your client, they should also be notified as soon as possible.

With more effective and faster remediation you can reduce the impact of a data breach as well as potential damage to your company's reputation and business relationships. It also helps maintain customer trust — by promptly informing your customers how they're affected and what measures you're taking to prevent more damage from occurring, you can build even greater customer trust and mitigate potential reputational harm.

Regulatory and compliance standards requiring responsible breach disclosure

On the regulatory front, many recent data protection laws have specific requirements regarding breach notification. For instance, the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States both mandate timely disclosure of breaches.

Moreover, new regulatory actions are continuously emerging, underlining the growing importance of breach reporting. Failure to comply with the respective privacy and data protection regulations can result in hefty fines and further reputational damage. Some notable recent regulations have reporting deadlines and requirements for breach disclosure. Here’s what some of them require:

GDPR

The GDPR asks companies to report breaches within 72 hours "where feasible" with the only exception being if the breach does not "result in a risk to the rights and freedoms of natural persons." If an organization delays in reporting the breach, reasons for the delay need to be provided. The GDPR has heavy fines for non-compliance. Depending on violations, fines can reach:

€10 million ($11 million) or 2% of annual turnover, whichever is higher
€20 million ($22 million) or 4% of annual turnover, whichever is higher

This all depends on the regulator’s investigation, the amount of negligence, and the severity of the breach.

California Consumer Privacy Act (CCPA)

The CCPA requires companies to report breaches within 72 hours if unencrypted data is involved or if an unauthorized user has access to encryption keys of encrypted data. It also requires companies to notify the California AG if more than 500 California residents are affected.

New York SHIELD Act ("Stop Hacks and Improve Electronic Data Security")

The "NYS Information Security Breach and Notification Act" says a disclosure must be made “in the most expedient time possible and without unreasonable delay...." but doesn’t specify a specific timeframe. It also allows companies to delay a disclosure if law enforcement believes the disclosure can impede a criminal investigation. As is the case with the CCPA, if the breach affects more than 500 New York Residents, the affected companies must tell the NY AG within 10 days. Companies who don’t comply with the act can face up to $5,000 per violation.

Securities and Exchange Commission (SEC) requirements

In 2022, the SEC introduced cybersecurity-related requirements for the protection of investors and now requires companies to inform investors and shareholders of "material incidents" within four business days of discovery. More recently, in March 2023, the SEC proposed updates to its cybersecurity rules, imposing stringent disclosure requirements for covered entities and requiring affected institutions to adopt "written policies and procedures" for incident response that include informing affected individuals within 30 days.

European NIS-2 Directive ("Network and Information Security, Version 2")

The EU regulation, NIS-2, entered into force on January 6, 2023 and introduced stringent supervisory measures and streamlined reporting obligations. Affected companies must now provide an initial notification within 24 hours of becoming aware of an incident to their reporting authority and within 72 hours, the company must provide an initial breach assessment. Within one month of the attack, companies are expected to provide a final report detailing the attack's scope as well as any mitigation efforts undertaken.

NIS-2 fines can be as high as €10 million ($11 million) or 2% of the company's annual revenue, whatever is higher.

State by State reporting requirements

All 50 US states have laws relating to reporting requirements for data breaches. Puerto Rico, Guam, the District of Columbia, and the Virgin Islands also have reporting and notification requirements in place. It would be impossible to cover all of these here, but the NCSL (National Conference of State Legislatures) maintains a list of the latest bills and acts on its website.

What organizations can do to improve their breach reporting

In this era of heightened cyber risk, organizations need to proactively enhance their breach reporting capabilities. Here are a few best practices:

Develop a clear policy and process

Companies need to develop a comprehensive policy for breach reporting and ensure it is enforced across all departments. This includes defining the processes to be followed based on the type and severity of a breach and include a disclosure process.

Designate key stakeholders and responsibilities

Key stakeholders are those who will be relied upon in case of a security incident, should be from different departments and need to be considered depending on what remediation and response looks like. This might and can include: IT, Legal, PR and Comms, as well as stakeholders from affected departments.

Collaborate with third parties

Partnering with external vendors can significantly enhance an organization's breach response capabilities. This could include incident response and remediation specialists, as well as service providers who can help improve overall monitoring and detection capabilities. These third parties can also help you maintain an audit trail, which can be invaluable in the event of investigations. By demonstrating that proactive actions were taken to prevent, manage, and remediate breaches, you can potentially mitigate legal repercussions.

Be prepared for the new normal

Data breaches are quickly becoming the new normal. Over 50% of global respondents in our cybersecurity assessment said they suffered a data breach or leak within 12 months and over 70% of US-based respondents said the same. Businesses are under immense pressure to improve their security resiliency with fewer resources. Integrating efficient breach reporting into the cybersecurity framework is not just a best practice but a necessity. By accepting this reality, organizations will be driven to prioritize and invest in enhancing their breach reporting capabilities, ultimately helping them navigate the complex cyber risk landscape more effectively.