Reporting Data Breaches: Do you need to do it?
Hong Kong’s flag carrier, Cathay Pacific, has been the latest in the long list of companies affected by major digital data breaches. It was reported that the sensitive data of over 9.4 million customers were compromised due to the incident. Over 400 expired credit card numbers, and 27 active cards (without CVV information) were leaked. In these situations, is reporting data breaches a legal necessity?
The breach that resulted in the data leakages had in fact occurred in March 2018, months prior to Cathay Pacific’s official announcement. The company now states that this was when they began noticing suspicious activity in their servers. However, it was decided that the information would be held from the public in order to avoid creating an “unnecessary scare”.
This practice is not limited to Cathay Pacific. Other large companies such as Yahoo and Facebook did not notify the public of data breaches until years after they occurred. In the case of Facebook, this resulted in the Cambridge Analytica Data Controversy of early this year. Both of these companies have suffered consequences from their respective incidents. Yahoo paid a $35 Million settlement payout for withholding information to its investors, while Facebook was fined due to over 80 million of its customers having their data stolen.
Is Reporting Data Breaches A Legal Requirement?
Rules for reporting data breaches is determined differently in various jurisdictions. Individual countries generally have autonomy in how they regulate organizations that have been breached. For instance, in Hong Kong, companies do not legally need to report it to the public. Instead, they are simply encouraged to communicate with the Privacy commissioners for Personal Data (PCPD) in order to mitigate damages. However, in light of the incident, Hong Kong’s current PCPD Stephen Kai-Yi Wong stated that the state may implement stricter rules in the future.
For GDPR Regulated Countries:
For states following the GDPR regulation that was implemented May of this year, companies suffering from a data breach impacting European citizens must notify affected parties as soon as possible, up to a maximum of 72 hours under reasonable circumstances. Companies that fail to do this face fines of the greater value between 20 Million pounds or a 4% annual turn-over rate.
How will Canada’s regulation be affected by the Digital Privacy Act?
Canada’s new Digital Privacy Act will be implemented November 1st of 2018. Following this, Canadian companies impacted by data breaches are legally bound to report the incident to both the Privacy Commissioner of Canada, and any other affected individuals. Under this new regulation, Canadian companies failing to notify these parties will net fines of up to $100 000. Furthermore, if a company does not properly keep, or deliberately destroys breach information, they will also be subject to fines of up to $100 000.
Do not fall victim to data breaches. Call us at GigE today at 888 366 4443 to protect your company from cyberthreats.