The Effects of GDPR's 72-Hour Notification Rule

The EU's GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem:

Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.

1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing.

Last week's Facebook hack is his example.

The Twitter conversation continues as various people try to figure out if the European law allows a delay in order to work with law enforcement to catch the hackers, or if a company can report the breach privately with some assurance that it won't accidentally leak to the public.

The other interesting impact is the foreclosing of any possible coordination with law enforcement. I once ran response for a breach of a financial institution, which wasn't disclosed for months as the company was working with the USSS to lure the attackers into a trap. It worked.

[...]

The assumption that anything you share with an EU DPA stays confidential in the current media environment has been disproven by my personal experience.

This is a perennial problem: we can get information quickly, or we can get accurate information. It's hard to get both at the same time.

Posted on October 3, 2018 at 3:24 PM • 13 Comments

Comments

ThomasOctober 3, 2018 4:13 PM

Remember when "may contain traces of nuts"(*) actually meant something?

> 1) Announce & cop to max possible impacted users.

How long before every company publishes a similarly meaningless "all our users may have been compromised" message every 72 hours, just to be safe.

(*) I just saw a new low in such a disclaimer: "This product may contain all allergens".

echoOctober 3, 2018 4:17 PM

This topic is incorrect. There are too many variables to simply assume so thereis a problem both with the question and the conclusions. I personally think the whole argument is wrong and I had my doubts the second I caught it was by an American with a vested interest and corporate point of view.

Incidents must be reported to authorities "without undue delay". Where there is a high risk of individuals rights and freedoms being at risk the individual must also be informed "without undue delay".

There is also the issue of "margin of appreciation" and which legal jurisidiction any legal action may take place in. Rights and freedoms must be considered in light of EU law, which is superior to member state law. In some specific instances a particular individuals rights and freedoms may require an extreme level of due diligence and care.

Another important legal point is EU and UK law is by dogma/convention based on "prevention of harm" rather than the US tradition of "prevention of risk". I believe Alex Stamos needs to tear everything up and go back and begin from scratch.

One last legal point for Alex Stamos personally and any company basing their policies on advice Alex Stamos supplies. Where damage is discovered for an audience in the UK his view is directed, or foreign companies who base their policy on views he has expressed, UK case law allows this to be sued in a UK court.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/what-happens-if-data-i-have-shared-leaked_en

A personal data breach occurs when there’s a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed. If this happens, the organisation holding the personal data must notify the supervisory authority without undue delay. If the personal data breach is likely to result in a high risk to your rights and freedoms and the risk hasn’t been mitigated, then you, as an individual, must also be informed.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/sanctions/can-my-company-my-organisation-be-liable-damages_en

Individuals can claim compensation if a company or an organisation infringed the General Data Protection Regulation (GDPR) and they have suffered material damages, such as financial loss or non-material damages, such as reputational loss or psychological distress. The GDPR ensures they will be provided with compensation, regardless of the number of organisations involved in the processing of their data. Compensation can be claimed directly from the organisation or before the competent national courts. Proceedings are brought before the courts of the EU Member State where the controller or processor has an establishment or where the citizen claiming compensation lives ( habitual residence).

Fazal MajidOctober 3, 2018 5:20 PM

Considering Yahoo's truly massive hack happened on Alex Stamos' watch, I would not give undue importance to what he says. The fact he left (was pushed?) from Facebook's CISO post to take a mere adjunct professor job at Stanford is not exactly career progression.

Equifax shows the downside of letting a company control when they will disclose a breach. They took their sweet time, which means the public could not take countermeasures because they did not know, and seemingly engaged in insider trading.

I find it hard to believe companies would make meaningless "everybody was compromised" announcements. The reputational damage is severe and CEOs are held accountable. Even though Equifux hasn't suffered much despite richly deserving the corporate death penalty once inflicted onto Arthur Andersen, their CEO were pushed out (albeit with golden parachutes intact). We need statutory penalties (e.g. $10,000 per SSN compromised, $1000 per credit card number disclosed, and so on), and also the same kind of penalties Dodd-Frank and Sarbanes-Oxley imposed on CEOs.

Keep in mind GDPR has teeth in the form of severe financial penalties for companies that are breached, unlike the toothless notifications we have in the US. We'll see what fines British Airways and Facebook incur for their post-GDPR breaches.

WinterOctober 3, 2018 8:08 PM

"I once ran response for a breach of a financial institution, which wasn't disclosed for months as the company was working with the USSS to lure the attackers into a trap. It worked."

There is a consideration about whether arresting the attackers justifies continued harm to the users? This is not simply for the company or law enforcement to decide.

One of the implicite points of the GDPR seems to be that the law will happily sacrifice the company to protect the users. 4% of global turnover per incident can be brutal.

JackOctober 4, 2018 12:17 AM

What a load of twaddle Chuck Schneier and you bloody well know it :
Nothing, repeat NOTHING, in the new EU regulations prevents "lawenforcement" from conducting investigations. Unlike the US we generally don't allow "sting-operations", we don't allow agent provocateurs and we sure as sheit do not allow "former" facebook (CIA) agents to tell us how to protect peoples data.
Chuck, I am seriously starting to question what side of the fence you are on.
Buhuhu, they have to tell people if their data has been compromised within 72 hours ? OMFG the horror..

echoOctober 4, 2018 12:22 AM

Another thought is that by the GDPR linking data breaches of citizens data with "rights and freedoms" which is core to EU consititional documents souch as the founding treaties and European Convention which is mandatory for EU member states the GDPR directly links citizens rights and freedoms with national security. This is an important distinction from the US where a very legally arguable Executive Order essentially nullifies citizens rights and freedoms when an alleged national security issue is at stake.

It is established UK case law within the context of the European Convention that a citizens beliefs (a logical and well founded structure) are treated similar to a US Executive Order i.e. they are treated "as law" but similarly are not law. A belief (as does an Executive Order) only hold force, like a contract in UK law, only where it does not conflict with law.

Article 33 of the GDPR is essentially a due diligence article. It implies forward planning and competent action. This is not "leave it to the last second" and "pick up the pieces". I am reading this as a "positive obligation" to protect the "rights and freedoms" of EU citizens.

The GDPR states in article 55 that a member state authority may not supervise courts acting in their judicial authority. UK courts are bound by the Huan Rights Act which brings the European Convention into UK law. This is another element of the GDPR which reinforces the authority of the EU treaties and European Convention ultimately via the ECHR and ECJ.

After taking a deeper look at the GDPR Alex Stamos comments may be grossly negligent. He would not be competent to create policy or hold the office of "data controller". I cannot imagine him successfully passing a job interview. According to cureently obscure UK case law he would be negligent of "high risk" individuals "rights and freedoms". The current view of the European courts within this context is there is effectively no "margin of appreciation". There would be no "get out of jail free" card.

I'm sorry I am coming down so hard with this topic but my Convention Rights have been abused and I have learned from experience as have many people I know who I have discussed this with in my position is you cannot give abusers of our "rights and freedoms" a second chance. To do so is to be complicit with abuse culture and give in to a corporate culture and management negligence.

Gunter KönigsmannOctober 4, 2018 12:35 AM

As long as the "may contain traces of peanuts, even if we currently believe your account is not amongst the ones that are hacked and we will inform you once we can confirm that" is a legit answer only a very dumb firm will tell "it is a 100% peanuts, a 100% corn and a full 100% legumes at the same time".

All GDPR changes is that they cannot go into hiding for months before they reply and that they cannot lie to drastically any more if they already know it was 100% peanuts.

Where is the problem with that?

Officer XOctober 4, 2018 3:12 AM

The 72 hour notification rule is to the authority, not the public.

The information to the data subjects is immediately.

So before criticizing a piece of law, people should know it. You can notify and still keep investigating...

BobOctober 4, 2018 3:20 AM

@Thomas

>How long before every company publishes a similarly meaningless "all our users may have been compromised" message every 72 hours, just to be safe.

That's exactly the problem. No matter what the law is, businesses by nature will abuse it as far as can get away with. All laws should be designed like a security system - with a mindset "how could I abuse it had I had malicious intentions". Applies to the EU Copyright Directive also.

echoOctober 4, 2018 5:25 AM

@office x

Yes and the "72 two hour rule" is a maximum time for notifying authority. This is not a goal to aspire for but a hard limit on footdragging.

Another issue is that an individual company may not have the whole picture. The faste an authority (and customers) are notified the faster a broad attack can be detected or faster a prolific abuser can be detected.

If Alex Stamos et al wish to make allegations that an authority will leak data it would help if they took responsibility and made this view clear with examples. I cannot offhand remember a UK data protection authority leaking this kind of data. I would need to check but suspect leaking by authorities is criminally prosecutable whether enabled by a specific act or malpractice in public office. The media are also responsible for breaches of an EU citizens "rights and freedoms" and would hope they exercise proper responsibility. This is before we get into advisory "D Notices" and the after effects of the Levenson Inquiry which looked into abuses of "rights and freedoms" and criminal invasion and data theft affecting individuals and vulnerable communities. One such famous abuse the family of Milly Dowler led to the collapse and subsequent closure of "News of the World" which at the time was UKs best selling Sunday newspaper owned by the Rupert Murdoch vehicle News International.

https://en.wikipedia.org/wiki/Leveson_Inquiry

https://en.wikipedia.org/wiki/Murder_of_Milly_Dowler

JurgenOctober 4, 2018 8:49 AM

@Officer X and @echo:
... And at Bruce:
The 72-hours is no absolute you're going to die limit !!! All that know their law, know it says one should try very hard to notify (the authorities indeed) within 72 hours BUT when you simply can't (investigation 'too' hard etc), the 72hrs won't kill you -- but you have to log very detaildly why you (yourself...!) decided so. And there's a really really big IF: You only have to notify anyone if you vannot preclude some Subject's data having landed in wrong hands. If you have very very strong suspicion that the data doesn't hurt anyone (again, you call, but also your duty to record all decisions and arguments in detail), you don't have to notify ANYone (outside your own organisation).

And indeed all law enforcement is free to snoop what they like... They'll claim not to but hey, get real.

Officer XOctober 5, 2018 1:44 AM

@Jurgen

Indeed - in some sectors we have had the 72 hour limit for years. In most breaches I have reported, we have not met the 72h, simply because we did not know enough to report it. A friendly call to the authority will always help. Build a relationship! They are not idiots and know themselves how hard it is. But if you want to be sure, put in the notification within the time frame with 90% blank and then keep updating it. This is the reality in most cases. If the authority still wants to know more, they will ask you. They will not send you a $$$ fine with a smile... just my experience.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.