Stern new data breach reporting requirement takes hold in EU: Data breaches are reported nearly every day and one noticeable trend is the occasional delay between when the breach is discovered and when authorities and affected people are notified.
That just changed in the 28 member-European Union (EU). As of Sunday, telecommunications and internet service providers in the EU have 24 hours from the moment of discovery to report a data breach to authorities.
There are no stringent rules like that in place in the United States, where alerting requirements are promulgated through a hodgepodge of state laws. Many don’t enlist any deadline. They merely order breached organizations to notify victims or authorities within a reasonable timeframe. A few states require that notification happen no later than 45 days.
Organizations criticized for taking weeks or even months to notify victims often defend the delay by saying they needed ample time to investigate the scope of the breach and determine who may have been affected.
Todd Hinnen, a partner with Seattle law firm Perkins Coie’s privacy and security practice, told SCMagazine.com on Monday that he supports a federal data breach notification law in the U.S., but added he is sympathetic to the idea of needing a bit of time for entities to investigate prior to reporting.
The problems with an expedited, 24-hour response, Hinnen said, are a lack of understanding of the threat, the creation of undue alarm and, ultimately, shoddy reporting. Instead, Hinnen suggests that authorities be notified as “soon as reasonably practical, but no later than 72 hours” and that affected customers should be alerted shortly after.