The Confusion Of Data Privacy Laws: Security Breaches Are Not Being Reported

 

As you know, the world we live in today is now filled with data.  Whether it is structured or unstructured, quantitative or qualitative, it has become the lifeblood of just about every business here in Corporate America. 

As a result, we have now become stewards to protect every bit of it as possible, and what is most at stake are the Personal Identifiable Information (PII) datasets that we have for our customers and employees.

Because of this new trend, there have been many legislations and mandates to ensure that all sorts of data and information are protected, with the right kinds of controls.  Probably the best examples of this are those of the GDPR and the CCPA.  But not every business is bound to them, a lot depends upon the revenue size, and where the customers are located.

But now, another question seems to be arising:  That is whether to report a security breach that has involved, which involves mission critical data.  The normal instinct would be yes, it needs to report, but according to a recent survey (in which 400 IT Security professionals were polled), the opposite has been found, which is quite alarming in my view.  Here are some of the highlights of it:

*42% of the total pool of respondents claim that they have been instructed by their CISO (or any other higher up) to not report a security breach.

*While notification of a data loss breach is expected, only 37% of the respondents viewed this as an important task that has to be addressed.

The survey is entitled the “2023 Cybersecurity Assessment Report”, and was conducted by a Cyber firm known as Bitdefender.  The actual report can be downloaded at this link:

http://cyberresources.solutions/LI_Blogs/BITFENDER_REPORT.pdf

Now, there are many reasons why an IT Security team may not want to disclose a security breach, for instance, there is the fear of job loss, or tarnished company reputation as a result.  But in this survey, many of the respondents felt that it was not their responsibility to disclose a breach. 

Rather, they felt that it should be up to the CISO to take full responsibility for this (which I agree with). 

But another catalyst that is keeping the reporting to a mum is the sheer amount of confusion that comes with these data privacy laws.  For example, the GDPR heavily governs those businesses that are based in the European Union.  But this can also have an impact on those US based businesses that have customers in the US. 

So which laws are to be followed?  That is a question that is still to be answered.

The same is true of the CCPA.  While it is mostly designed to protect the consumers in California, any business that has customers there is also governed by this law.  Compounding this problem even more is that now each state is coming up with their version of a data privacy law. 

So if a business has offices and customers in multiple states, which law are they supposed to abide by?  If it is for every state that they are in, this can cause some horrendous confusion, as you can see.

But is not only in the United States where this problem of not reporting exists.  Even those countries in the EU have similar issues, according to the survey:

*37% of the respondents in the United Kingdom were told to be quiet about any security breaches;

*35% of the respondents in Germany, Spain, and France were also told to be shut about any incidents which have occurred.

My Thoughts On This:

In the end, every human should feel compelled to report a security incident to their higher ups if a data breach has occurred.  Likewise, the CISO should also feel the same in reporting this to their Board of Directors and ultimately letting law enforcement, the regulators, and even the public know about it.  But as this blog has reviewed, this is not the case.

IMHO, if this trend keeps up, the data privacy laws are only going to get stricter and harsher, if they are not already so.  For example, under the GDPR, if a business has been audited and found guilty of not having the right controls in place, they can be levied a fine that equals 4% of their gross revenue. 

Also, it can be even harder for a company to get Cyber Insurance if they do not follow the proper protocols for reporting a security breach.

In the end, whether you like it or not, it is always in your best interest to report if our business has become a victim of a security breach.  If not, the financial and brand damage will be far more severe than you think it will be.