How Long Should Organizations Take to Notify After a Breach?
Whenever an organization announces that a data breach has occurred, one of the first questions is when did this take place? If the answer is more than a month or so, the follow-up questions come fast and furious: Why didn’t you detect the breach sooner? Why did it take so long to notify? Why didn’t you tell us (consumers, employees, patients, etc.) the minute you knew? How can we trust you again? What else do you know that we don’t know?
This is a more complicated issue than it first appears, because while organizations need to notify regulatory bodies and affected individuals as quickly as possible, they also need to be careful not to notify too soon—before they have the facts and are ready to deliver a clear, consistent message.
What is the sweet spot? How long should organizations take before notifying outside parties that a data breach has occurred? The answer requires a deeper understanding of the full breach response process, from detection through public notification.
Data Breach Report: How Organizations Manage Data Breach Exposures
Detect the Breach
The first step toward a timely notification is of course being prepared for a breach, but to also detect one as soon as they occur—and that’s a challenge for many organizations. A recent Advisen report, Mitigating the Inevitable: How Organizations Manage Data Breach Exposures, found that only 45 percent of organizations believe they have adequate resources to detect data breaches.
In addition, the report found that the vast majority of breaches are small (under 500 records) and frequently go undetected for a long period of time. Depending on the length of this delay, organizations could be in a difficult position right from the start, as they will eventually have to tell the public that they failed to detect a breach for many weeks, months, or even years.
Understand the Breach
Once a breach is detected, organizations need to gather all the facts about what happened, how it happened, who was impacted, how many people were affected, what information was exposed, and when the breach truly occurred.
Organizations that rush through these questions and digital forensics can pay a hefty price. While it is important to provide timely notification, issuing flawed information that must be corrected later exacerbates trust issues with consumers, employees, shareholders, and the media. If law enforcement becomes involved with this process, the investigative process will understandably take longer—a fact that organizations will need to explain when they announce the breach to the public.
Some organizations choose to use their internal IT team to conduct their investigations, but many choose to hire an outside vendor that specializes in digital forensics and can provide added reassurance to the organization, regulatory bodies, and the affected population. In fact, the Advisen report found that organizations believe forensics are the single most important data breach response service provided by outside vendors.
Assess the Type of Breach
All incidents are not created equal. Once digital forensics have been used to gather information about the incident, organizations need to assess the findings and also determine whether notification is necessary to state and federal authorities.
Various state and federal guidelines must be followed for breach notification. Organizations may have 15, 30, 45, or 60 days to report the breach, which provides the first and most basic guideline for how long an organization should take to notify outside parties.
Gather Additional Information
At this point in the response process, organizations should be planning to go public with news of the data breach. However, as we’ve discussed before, organizations need to tailor their breach response to the needs of the affected individuals. To do so, it is essential to quickly and efficiently gather additional demographic information.
For instance, did the breach affect customers or employees or both? Were any of the affected individuals children or elderly, or have some of them likely passed away, meaning family members will need to be notified? Likewise, a breach that involves credit card numbers cannot be treated the same as a breach that involves stolen personal medical records.
Issue a Public Response
According to the Advisen report, 75 percent of organizations have developed an Incident Response Plan. In theory, that means three out of four organizations should be ready to perform all the steps we’ve discussed, as well as the final step of notifying the public.
Unfortunately, the Advisen report also found that 58 percent of organizations have never tested their Incident Response Plan, which suggests that they may not be fully prepared for the unexpected twists and turns of a typical breach response.
Many of the complexities in the response process are related to this final step. Who will be the spokesperson? Do others within the organization understand they cannot issue separate messages? How will social media be monitored and used in the days, weeks, and months following the announcement? How quickly can a call center and website be set up and managed? Who will craft and mail the notification letters, and will those letters be customized based on the demographics of the affected individuals?
Many organizations hire full-service vendors to manage their entire breach response effort, from forensics through the public response. Especially when vendors are hired early—long before a breach occurs—they can help organizations prepare and test their breach response process so that it can be completed quickly and will minimize reputational, regulatory, and litigation risks.
How Long Should Your Response Take?
How long should your breach response take? The answer depends on the type and severity of the breach, among other factors, but regulatory bodies should obviously be notified within the time frame they have established, which may be as short as 72 hours.
As for notifying the public and affected individuals, again the timetable depends on many factors. What’s clear is that organizations with a thorough, fully tested Incident Response Plan will be able to move through the process far more quickly and efficiently—and with fewer mistakes—than organizations that are taken by surprise, with no plan in place.
Ask yourself right now: Do you have an Incident Response Plan in place? Is it up to date? Has it been tested within the past year? If not, your next data breach response could require that you answer some uncomfortable questions, including: What took you so long?
Data Breach Report: How Organizations Manage Data Breach Exposures
About IDX
We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.