Breach Disclosure
What Is Breach Disclosure?
Breach disclosure is the process of informing individuals, organizations, and/or government entities about a security breach or incident that has compromised their sensitive information.
This sensitive information could include personal data, financial records, intellectual property, or any other confidential data.
When a security incident that exposes personal or sensitive data happens, those affected need to be notified as quickly as possible so they can take appropriate actions to protect themselves from potential harm.
Breach disclosure usually involves informing affected individuals and/or organizations about how the breach occurred, what information was compromised, what steps are being taken to mitigate damage, and what actions affected parties should take to protect themselves, such as changing passwords or monitoring financial accounts for suspicious activity.
All US states have laws requiring organizations to disclose breaches involving personal or sensitive information. These laws often have specific requirements regarding the timing and method of disclosure and penalties for failing to comply.
Breach disclosure is essential in helping maintain transparency and trust between organizations and stakeholders.
Third-party definition
Breach disclosure, or breach notification is the act of notifying regulators as well as victims of data breaches that an incident has occurred. Under Article 34 of the GDPR, an organization must notify affected users within 72 hours of the incident. – Progress
When Breach Disclosure Doesn’t Happen
Not all organizations disclose breaches.
According to an Arctic Wolf report, of the organizations that suffered a breach, 72% chose not to disclose it, even if doing so could lead to fines. The top reason for this was “fear of damage to our reputation.”
Somewhat good news to consumers (and terrible to organizations) is that criminals are increasingly taking matters into their own hands by reporting organizations that fail to disclose breaches. Of course, the only reason they’re doing so is to put pressure on the organizations they want to get a ransom from, but it does mean that consumers can at least know when their data is impacted.
US Data Breach Disclosure Laws
The US does not have a federal data breach notification law. However, all 50 US states have some form of data breach disclosure law in place. The international law firm Perkins Coie LLP has a comprehensive document about state laws regarding security breach disclosure.
State data breach disclosure laws describe:
- Who the law applies to.
- How a security breach is defined in a particular state.
- The kind of disclosure/notification obligations breached organizations have.
- If and when organizations have to notify consumer reporting agencies about the breach.
- If and when organizations have to notify the Attorney General about the breach.
- How quickly the disclosure/notification has to be made.
- How personal information is defined in the state.
- How notice can be given (written, email, etc.)
- What information the notice needs to contain.
- If there are any exceptions.
Why Breach Disclosure Is Important for Privacy
If you don’t know your personal data was compromised in a data breach, you can’t do anything about it.
This is why breach disclosure is so important—it informs individuals that their information was compromised, allowing them to take necessary actions to protect their privacy and mitigate potential harm. These may include changing passwords, monitoring financial accounts for suspicious activity, or taking other steps to safeguard their personal information.
Public disclosure of breaches can also pressure organizations to improve their security practices. The negative publicity and potential legal consequences associated with breaches may incentivize organizations to invest more resources in improving their data protection measures.