With data breaches occurring on a regular basis, companies and legislative bodies are struggling to find an appropriate balance between the need to notify those whose information may have been compromised, and determining the exact extent and nature of a breach. Recently, Facebook found itself forced to decide between immediately disclosing its recent breach, or facing an even larger fine under GPDR for not disclosing the data breach within 72 hours, according to an article on Wired. This decision was despite may network security experts noting that it is difficult to complete a full investigation within that time window, potentially resulting in the overstatement of the impact and scope of a cybersecurity incident.
Says Mark Thibodeaux, an attorney for Eversheds Sutherland specializing in data privacy to Wired, of the rapid disclosure, “I think a lot of this legislation was designed in terms of databases where you’ve got tables that have customer names and addresses and credit card numbers and things like that stored in one monolithic kind of system. But what happens in most of these breaches is the bad guys get into email and other non-structured data, and so figuring out what they got is an exercise in looking through everything.”
Comparatively, the US offers a mix of disclosures laws at the state level, and guidance from various agencies at the federal level, creating challenges for companies as they ensure compliance with local laws for users distributed across the nation. “In Europe you’re going to see a lot more notices based on incidents that would not require notice in the US, because of GDPR. Whether that’s a positive or negative thing for people we have to wait and see,” says Thibodeaux in Wired. And I think the regulatory agencies are a little overwhelmed with the number of investigations that have already come to them in the early days.”
Source:
https://www.wired.com/story/cybersecurity-disclosure-gdpr-facebook-google/
