Founder, BeforeCrypt GmbH – The Leading Ransomware Experts In Europe.
One of the most terrifying facts about cybersecurity is that the damage breaches cause can force businesses to close. Paying fines for noncompliance with data privacy regulations can contribute, so it’s extremely important to know how to properly handle data breaches.
This is especially true in light of the rising epidemic of ransomware. A growing number of criminals are leveraging data privacy regulations to put pressure on business owners and extort funds. In some cases, hackers may try to confuse victims to extort more money—such as by putting a lot of pressure on victims by setting tight deadlines and trying to scare them into paying a ransom before doing research—so it’s important to know your rights and responsibilities.
This can be very difficult because it’s not always easy to tell how much data has been compromised, plus hackers may lie about it to intimidate victims. Making matters even more difficult, different countries and jurisdictions have different rules about what kind of breaches have to be reported.
This article will walk you through what you need to know to protect your company against the potentially damaging effects of ransomware-related data breaches.
What Constitutes A Reportable Breach?
With the current state of the cyber threat landscape, having a ransomware response plan in place is essential for every company. Knowing the definition of a reportable data breach in your jurisdiction is an essential part of making your plan.
The country where you are located is not the only factor affecting regulations—in many countries, there are different regulations for companies operating in different sectors. Here are some of the most important regulations to know:
General Data Protection Regulation (GDPR)
GDPR is the main data protection regulation governing all countries in the European Economic Area. It lays down guidelines for what kind of data breaches need to be reported and how.
The GDPR does not establish a fixed size threshold on which data breaches need to be reported. What matters is how likely the breach is “to result in a risk to the rights and freedoms of natural persons.”
Some of the factors to consider are:
• How much data is affected.
• The nature of the data (i.e., medical or financial).
• The type of persons affected (i.e., children).
• The possible effects of the breach.
• How easy it is to identify people from the data.
Failure to report a breach to authorities within 72 hours of detection can result in fines of up to $22.8 million or 4% of the company’s annual revenue, whichever is greater. If you take longer than this to notify authorities, you must provide a reasonable explanation.
This can give you a rough idea of reporting guidelines, but if you are in doubt, it’s always best to consult with a legal expert.
US State Data Breach Laws
In the United States, there is no single federal regulation defining data breach reporting requirements. Instead, each of the 50 U.S. states has its own guidelines and requirements.
For example, in California, you are required to report breaches that compromise the first and last name or first initial and last name of a person, plus a driver’s license or ID number, financial account, bank card number or information, medical or insurance information, biometric information, or other PII; or a username and password combination that could grant a hacker access to someone’s online accounts.
Health Insurance Portability And Accountability Act Of 1996 (HIPAA)
The HIPAA Breach Notification Rule covers data breaches affecting medical records in the United States. A reportable breach is one that involves unsecured protected health information, which is “protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”
Breaches covered by HIPAA have special requirements, including issuing a report to affected individuals and media outlets in the areas where affected individuals live. The report must be issued within 60 days of the time the breach is first detected.
Personal Information Protection And Electronic Documents Act (PIPEDA)
Data breaches in Canada are governed by PIPEDA, which defines a reportable data breach as one that carries “a real risk of significant harm” to affected individuals. Breaches must be disclosed to the Office of Privacy Commission in Canada. Breaches must also be disclosed to affected individuals “after you have determined that a breach of security safeguards involving a real risk of significant harm has occurred.”
How To Determine The Extent Of A Data Breach
Knowing if a data breach is reportable requires knowing which data the hacker accessed. With ransomware attacks, you can determine this based on what is encrypted and what access level the attackers gained.
If data in an affected file is encrypted, this means that the hackers had access to it. If the hackers exfiltrated data, there may be a record in the logs of the uploading process.
In many cases, you can also simply ask the hackers to prove that they have the data. This works mainly when you have successfully restored your data from a backup but the hackers are trying to use exfiltrated data for extortion.
Better Safe Than Sorry
When in doubt, it’s always better to err on the side of caution. In many cases, the agencies that require breach reporting can help you to find out what your obligations are.
Still, ransomware attacks are very stressful, and the less you have to think about, the better everything will go. This is why it’s important to know your obligations and have a plan in place in advance so you don’t have to worry about running afoul of regulators.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here