48 Hours. In Data Breaches, How Fast is Too Fast?

There has been a lot of discussion recently about data breach situations where the breached organization has delayed notification of the people that were affected for an unreasonably long period of time. If Congressional Representative Mary Bono Mack has her way, breach notification will occur in 48 hours. Period.

Ms. Mack argues, “Consumers should be promptly informed when their personal information has been jeopardized.” She has sponsored a piece of legislation, H.R. 2577, the SAFE Data Act, that would mandate data breach notification of individuals and regulatory authorities within 48 hours. It would seem hard to argue with such a logical, straightforward objective.

To me, setting an appropriately short timeframe for breach notification seems like a terrific idea. People that have been exposed by data breaches are understandable “irked” when the organization to whom they’ve entrusted sensitive personal information may take weeks, or even months, to let them know that the data has been exposed at that they might be at risk of identity theft or fraud. Regulators and enforcement agencies have also started to penalize such negligent behavior.

So why are people lining up to argue that really 48 hours is too fast?

In a recently published article in Corporate Counsel, “How fast is fast enough to tell customers about data breaches?”, Eric Goldman, a professor at Santa Clara University Law School, also head of its High Tech Law Institute, is quoted as saying that “it doesn’t make sense for a company to communicate when it doesn’t know what happened or who was affected. It can take a forensic team weeks, or even months, to find answers.”

Dark Reading’s July 29, 2011 article titled “Shorted breach disclosure periods could hurt consumers” quotes Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, as noting “how can you be thoughtful and how can you go through the process in a way that is systematic and highly accurate in 48 hours?” He argues in a persuasive manner that “you want to be able to say with a high degree of accuracy that you are really communicating with people who have been injured in some way or are now victims of data loss…it’s usually somewhere around the 30-day period [to accomplish this].

So is 48 hours to notification of a data breach incident an appropriate level of haste given the serious prospective fallout that can occur from a breach of an individual’s sensitive personal information, or is to too fast for an organization to ensure an accurate assessment of the situation? To answer this question, it is helpful to be specific as to what triggers the 48 hour time clock to start ticking.

The SAFE Data Act proposes in its current form, that the clock starts “following the discovery of a breach of security of any system maintained by such person [meaning the organization] that contains such data…not later than 48 hours after identifying affected individuals…unless the person makes reasonable determination that the breach of security presents no reasonable risk of identity theft, fraud or other unlawful conduct affecting such individuals."

If one interprets this to mean that upon receiving a report of a potential data breach incident, that the organization can:

1. Mount a forensic (or other) investigation to determine the facts as to whether a breach (exposure of personal data) has occurred or not, and

2. Based on these facts, make a determination as to whether the affected individuals are placed at risk for identity theft or fraud by this incident, and then

3. Validate the identity of all individuals who were exposed by the data breach;

And only at that point, the 48 hour clock for notification starts ticking, then 48 hours would seem to be a reasonable period to notify the affected folks given the potential seriousness of such an event.

Based on this view into the anatomy of a data breach analysis, I think that the time period for notification – and whether it is too fast, too slow, or just right – really depends on when you start the clock. The idea should be that the breaching organization should “promptly” notify affected individuals once they have a reasonable certainty that a breach has occurred and that those individuals were exposed. That would seem to be the intent of Representative Mack’s bill.

If my interpretation of the breach analysis process as noted above is accurate and what is intended in this legislation, then 48 hours to notify may be “just right”. Consumers reasonably expect and want to be told promptly if something has occurred that can negatively affect them. My concern, however, is that organizations have demonstrated that they can drag their feet remorselessly analyzing the data breach data.

I think that the language of this bill, and the rulemaking that will follow, needs to also ensure that the forensic analysis process doesn’t go on for months, during which time a cybercrime gang a half a world away is using the acquired data to perpetrate fraud crimes using our personal information. In the HITECH Act which dictates notification timing for HIPAA breach incidents, ones where there is unauthorized exposure of health information (PHI), they solve this issue by prescribing an outer boundary for notification, 60 days.

Given the huge chasm between 48 hours and 60 days (1,440 hours for those of you that are counting), it is worth a bit more attention by authorities to be very specific as to what exactly starts the clock ticking, and then looking at what timeframe is reasonable for consumers in light of this.