Reporting on Data Breaches
The recently discovered data breach at Yahoo has once again put security top of mind among enterprises as well as the methods and processes in place to handle such an incident when they arise.
The trouble is, a good percentage of enterprises don't abide by the rules they themselves put in place.
A survey from security solution Balabit revealed that 75 percent of organizations set fixed time limits for investigating potential security incidents, but 44 percent reported missing internal or external deadlines for investigating or reporting a breach in the last year - and 7 percent said a missed deadline had resulted in serious consequences.
The Balabit survey also shows that today 30%, of organizations do not need to report security incidents to external authorities. Though 70% of organizations are required to report incidents, only one quarter of respondents set time limits for reporting. These survey results come as organizations are under increasing pressure to prepare for new or updated compliance regulations that require data breaches to be reported within 72 hours.
The EU General Data Protection Regulation, due to come into force in May 2018 (and related to that, the EU-U.S. Privacy Shield), can lead to fines up to 2% of organizations global turnover. Likewise, a new regulation proposed by the New York Department of Financial Services, Part 500 of Title 23, also requires financial institutions to report data breaches within 72 hours, with severe penalties resulting from a failure to do so.