During my teens, I received an unwanted sales letter addressed is “Peter S. Bullock” (an incorrect initial). Over the following 10 years I received numerous unrelated letters, each addressed to “Peter S. Bullock”. Someone had miscopied my name, and the resulting list had been sold and resold to a string of hapless marketeers.
The point is that, despite the error, it would have been effectively impossible for me to trace those responsible for the original mistake, or the downstream (wrongful) sale of my personal data (although all this started before the UK’s first data law, the 1984 Data Protection Act).
Wind forward 40 years, add the internet and the acceleration of data movement and manipulation, and the same truth remains. In practical terms, absent some quirk making a piece of data unique to a breached data set, it will not be possible to prove that a particular use of personal data results from a particular data outage. Add to this the fact that banks are prepared to absorb the cost of much of the low level consumer related cybercrime, in order to maintain the “trust” in their payment systems, and you have an imperfect system. No one is quite sure of the extent to which their personal data has been compromised, and most people move through life with fingers firmly crossed.
Legal requirement to notify?
Laws mandating the notification of data breaches are a relatively recent phenomenon. The idea that data users (data controllers in EU terminology) should probably be informing data subjects in the event of a data outage is easy to articulate. However, until recently, the first question on the lips of those finding to their horror that they have lost their customers’ or employees’ data, has been “Is it a legal requirement for me to notify?”.
When told that it is not, they are not interested in receiving further legal advice—and no notification is made. However, it has been increasingly difficult to keep a lid on outages, not least given the power of social media. When hackers stole data from up to 40 million credit and debit cards from the US-based Target chain of stores in 2013, the store was obliged by local laws to notify affected customers in California, but chose not to notify customers in other states where there was no mandatory notification.
Unsurprisingly, those in neighbouring states got to hear about it, and the ensuing clamour led to most states enacting mandatory data breach notification laws over the following years. In 2017 Target paid US$18.5 million in a settlement across 47 states.
GDPR: yea or nay?
So when the GDPR—the EU’s new gold standard for data protection—came into force on 25 May 2018 mandating data breach notification (for qualifying breaches) within 72 hours of discovery, this seemed a welcome development. Well, yes and no. It is a good thing that data users cannot now look the other way and hope that their data breach is not discovered (or leaked by a disaffected employee or supplier). But the practical effect of a short deadline for notifications is a recipe for chaos.
A few days after the GDPR came into force, Australian-headquartered online recruitment services organization PageUp became aware of a data incident in relation to the integrity of their systems. Although Australian law also mandated notification, as deadlines for notification were not imposed by those laws, and as PageUp had an office and customers in the EU, it was the GDPR that drove the notification response.
PageUp duly notified their customers (many of whom were professional services firms using the service as part of their HR procedures) within the GDPR’s 72 hour deadline. However, at that point PageUp had very little to report. They had to walk a tightrope between making light of the problem and admitting that the sky had fallen in. Teams within their customers were receiving the notification (and the supplementary bulletins over the following days and weeks) trying to make sense of the situation.
Most of these firms would have found it necessary to make their own GDPR breach notifications. Once notifications are initiated, they need to be followed up as more information comes to light. The EU regulators had received a deluge of communications and were clearly struggling to cope—presumably, they had many other breach-notifications at the same time. The subjects whose data was at risk were, I suspect, mostly unaware of all this. Essential details were lacking, so there was a trend of professional services firms releasing announcements on their intranets or the darkest corners of their websites—the enterprise equivalent of an advert in the London Gazette—unlikely to be read by many. However, many customers decided to turn off the PageUp service, albeit perhaps temporarily, and this presumably impacted PageUp’s business significantly.
After some 18 days of uncertainty (some might say panic) a joint statement was made on the incident between the Australian Cyber Security Centre, the Australian Privacy Commissioner and experts IDCARE, stating the belief that although certain personal information had been accessed by an unauthorized third party, none had been exfiltrated (stolen) and the accessed data did not include employment contracts, resumes, or financial information.
Before the GDPR, the company would have kept quiet for 18 days before deciding that no notification was necessary.
Although it is clear that the actions taken (to contain, investigate and understand) a potential data breach within the first 48 hours of discovery are most important, in my experience the full picture is rarely known within 72 hours. I have some sympathy with those companies who choose to ascertain more facts before making an announcement of a data breach. Delaying notification risks, in a worst case, losses accruing, and public and regulatory censure. However, if the content of an early notification is not meaningful, it is perhaps better (if one has the legal option) to wait until things become clearer.
Peter Bullock is a technology lawyer and partner with King & Wood Mallesons. He can be contacted at: [email protected]