Failing to notify known data breach could lead to bigger fine, says expert

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said businesses should adopt cyber incident response plans that include procedures for reporting data breaches internally. She said it is important that staff are made aware of the need to quickly highlight cyber incidents to managers when they occur.

Wynn said that legal obligations to notify data breaches to regulators and to make customers aware of such incidents only apply in some sectors such as banking and telecoms. However, she said all organisations could find themselves having to report data breaches under the EU General Data Protection Regulation (GDPR) when it comes into force in 2018.

"At the moment many data breach incidents do not come to light as organisations do not face a legal duty to report them," Wynn said. "However, some data protection authorities have previously said that it will count against businesses if they hear about data breaches second-hand, such as through the media or from customer complaints. In addition, businesses face significant reputational damage if the cases come into the public domain and they have not been open about such incidents with customers."

"Furthermore, data protection authorities are also likely to view dimly businesses that take a long time to report data breaches to them and customers, unless there is a very good reason for the delay," she said. "This is particularly true if it transpires that the delay was because employees, or worse still, senior executives, were aware of the data breach at the time of the incident. Regulators could take such factors into the level of fine they could choose to levy, which under the GDPR could be up to 2% of a business' annual global turnover or €10 million, whichever is greater, if the data breach notification rules are not adhered to."

Wynn said that it is to be hoped that data protection authorities will issue guidance to help businesses meet their obligations on data breach notification under the GDPR. The ICO has already published brief guidance on the topic. Wynn said she hopes future guidance makes it clear to businesses the various circumstances that will be considered to trigger the notification requirements.

A recent information rights tribunal ruling in the UK relating to a major data breach experienced by TalkTalk shows that the UK's Information Commissioner's Office (ICO) will expect businesses to notify data breaches in multiple steps, if necessary, to inform it of the nature of incidents, beginning from the point at which they become aware of those breaches, Wynn said. The tribunal said that a single customer complaint about a possible data breach can serve as the trigger for notification and that the duty to notify does not necessarily only kick in once internal investigations into those cases are complete.

"That case should prompt businesses to establish internal procedures, as part of broader cyber incident and data breach response plans, for notifying data breaches," Wynn said.

Wynn's comments come as internet giant Yahoo made public further details of the major data breach it reported earlier this year in a recent regulatory filing to the US Securities and Exchange Commission (SEC).

In September, Yahoo announced that it believed the personal data of at least 500 million Yahoo account holders was stolen in a "state-sponsored" cyber attack. It reported the incident, believed to be the largest recorded data breach in history, more than 18 months after the breach occurred.

In its recent SEC filing, Yahoo revealed that it is looking into whether some employees knew about the cyber attack at the time it took place.

Yahoo said: "The company had identified that a state-sponsored actor had access to the company’s network in late 2014. An independent committee of the board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the company in 2014 and thereafter regarding this access, the security incident, the extent to which certain users’ account information had been accessed, the company’s security measures, and related incidents and issues."

"In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information," it said.

Yahoo also said it "does not have cybersecurity liability insurance".

A committee of European data protection authorities recently wrote to Yahoo asking the company to disclose more details of its data breach to them and to cooperate with their inquiries into the incident.

US telecoms company Verizon agreed a $4.8 billion deal to acquire Yahoo earlier this year. In October Verizon asked Yahoo to disclose the full impact of the cyber attack on the business. Verizon is reportedly looking into whether the data breach incident justifies a possible reduction in price it has agreed to pay to acquire Yahoo, according to the Financial Times.