The ability to notify the individuals and entities affected by a data security breach rapidly and appropriately is increasingly critical for regulatory, reputational and financial reasons. Security professionals and other stakeholders should use Gartner's best practices in developing an effective disclosure process.

• The worldwide regulatory framework for data security breach disclosure remains fragmented and contradictory. Laws in the United States have proved effective in forcing victimized enterprises to disclose breaches, but have been enacted only on a state-by-state basis.
• Data security breaches lead to public and media pressure, regulatory action and reputational damage, and concern about such damage is a key driver for adoption of stronger data protection measures.
• Disclosure requirements and expectations vary widely across different regions. The differences include types of entities with disclosure obligations, definitions of personal or otherwise sensitive data, required recipients of notifications, exemptions from disclosure requirements, and penalties for noncompliance.
• Breach disclosure is not, in itself, an adequate response to a breach and, in fact, will likely be damaging if not followed by appropriate remediation measures to address the potential damage to the affected parties.

• When developing disclosure practices, take enterprise-, industry- and geography-specific differences into account (for example, parties to be notified and acceptable forms of communication).
• Involve all affected stakeholders — including the legal, IT, security, privacy, marketing and customer service organizations — in the development and implementation of disclosure practices, designate a point person in each stakeholder organization, and establish a clearly defined response workflow.
• Be prepared to scale the enterprise's responses to deal with a very large data security breach, using outsourcing services if necessary.
• Follow notification with appropriate and effective remediation measures.

Enterprises must begin developing and implementing best practices for data security breach disclosure and notification. This critical imperative is being driven fundamentally not only by regulatory requirements for disclosure, but also by the growing recognition that failure to do so is bad for business.

A series of highly publicized data security breaches worldwide — many of them extremely damaging — has focused public, media and regulatory attention on data security breach disclosures. The U.S. has experienced several huge data breaches in recent years, including those at Heartland Payment Systems, TJX Companies and CardSystems Solutions. The U.K.'s tax and excise agency lost CDs containing sensitive information on 25 million people in 2007. And the mobile telephone provider T-Mobile lost data on 17 million German customers in 2006.

Legislators and regulatory authorities in many jurisdictions are struggling to develop rules for disclosing security breaches, and particularly for notifying individuals whose sensitive personal data may have been compromised. Enterprises handling sensitive data should be concerned about growing pressure for more-rigorous regulation in this area. A poorly handled breach disclosure and notification may result in unwelcome interest from regulators, or in criminal or civil legal action. An enterprise that is lax in its security controls will place itself in a less-defensible position following a breach disclosure, which will strengthen the plaintiffs' cases and may lead to more severe penalties.

The regulatory guidance concerning breach disclosure is limited and incomplete and varies widely from jurisdiction to jurisdiction. This will not always be the case, however. Pressure from the public, the media and various interest groups will drive increased demand for disclosure notification, forcing regulators and legislators to act.

U.S.: Until recently, the U.S. had the world's only explicit data breach disclosure notification requirements. More than 40 states require some type of notification, with California — which is always influential in terms of public policy — the first to require notification if sensitive personal or financial data has not been encrypted. Laws in 25 states restrict the use of Social Security numbers. Some states, including Massachusetts and Nevada, have mandated that enterprises accepting and/or storing sensitive customer data implement various security practices and data protection measures. The federal government has not yet passed legislation that supersedes state breach disclosure laws. However, it is significant that it did create the first national disclosure requirements — for information covered by the Health Insurance Portability and Accountability Act (HIPAA). The new Health Information Technology for Economic and Clinical Health Act (the HITECH Act), part of the federal government's economic-stimulus program, significantly extends certain HIPAA security and privacy requirements, and sets the stage for increased enforcement as well. The Department of Health and Human Services has also published an interim final rule to address breach notification for unsecured protected health information.

Europe: The European Union (EU) has struggled with disclosure notification issues for several years. In October 2009, the EU finally passed a revision to its E-Privacy Directive 2002/58/EC that mandates that member states pass legislation requiring telecommunications and Internet service providers to notify subscribers in the event of a security breach and loss of personal data. That mandate will initially apply only to these types of service providers. However, the preamble of the directive clearly states that the EU intends to extend these requirements to all types of enterprises that deal with information from individuals. In the meantime, some member states within the EU — notably Germany and the U.K. — have moved ahead with actions of their own. A series of serious privacy violations in Germany in 2008 led to amendments to that country's privacy law in September 2009, one of which specifically addresses breach notification. That amendment specifies what types of information are subject to mandatory disclosure notification (for example, financial and credit data), what types of enterprises are required to notify compromised individuals and what types of notification are acceptable. The U.K. Information Commissioner's Office (ICO) has presented new notification guidance for that country, although no new laws have been passed. The British Standard for Privacy (BS 10012) also defines breach notification procedures in personal information management systems. Discussions on breach notification requirements have also been reported in Austria, France and the Netherlands.

Japan: Japanese notification processes have proved to be counterproductive. Some of that country's ministries, including the Financial Services Agency, require notification of the public and all affected individuals, while others recommend such notice. The result has been that most enterprises notify the public of every security breach, irrespective of its size, nature and risk. This has largely confused people and "desensitized" them to future notifications. For this reason, the Ministry of Economy, Trade and Industry has revised its guidelines, establishing different notification triggers.

In the absence of a consistent overall regulatory framework — and in the face of growing public and media pressure — enterprises should design, develop and implement their own breach disclosure practices. These practices will vary widely, depending on enterprise and industry type, type of data being stored or transmitted, regional differences, and many other factors. But certain basic principles will apply to virtually every enterprise.

Enterprises that wish to stay ahead of regulatory requirements and public pressure — and avoid damaging media attention — should base their disclosure practices on certain fundamental principles:

• The specific requirements for the industry, in terms of the regulatory environment in any jurisdictions where the enterprise has operations, must be clearly understood. In particular, this means understanding what constitutes a security breach in each jurisdiction. For most enterprises, this will require input from the enterprise's legal organization, and possibly from outside counsel with specialized knowledge of particular regions and jurisdictions.
• Legal counsel should be counseled as to whether it would be a legally valid approach to find the most demanding and inclusive breach notification law in all applicable jurisdictions, ensuring that a breach disclosure and notification policy that complies with this law also meets all other relevant breach notification requirements. This approach would ensure consistency, efficiency and risk reduction across all these jurisdictions. This policy could also be formally articulated and detailed on websites and in annual reports and contracts, to inform the public and other stakeholders about the lengths the enterprise will go to if something goes wrong.
• The enterprise must be prepared to explain how it has protected sensitive data, why these controls did not work in the specific situation in question, and what it will do to avoid a similar failure in the future. Moreover, it must explain which processes and which technologies it has put in place to identify a security breach, track remediation and report results.
• The enterprise must involve all affected internal stakeholders, including the legal department, the IT organization, security, privacy, marketing and customer service, in the development and implementation of an incident response process. A "point person" must be designated within each internal organization, and a workflow must be established, with the ultimate objective of getting the necessary information to the affected individuals as rapidly as possible.
• An incident response process must be developed that includes:
  • An evaluation of the scope, the amount of damage and the number of individuals affected by the data breach
  • Notification of the individuals whose data has been compromised
  • Public relations management
  • Mitigation and forensics
  • Regulatory reporting
  • A help desk and call procedures for all individuals whose data may have been compromised
• The enterprise's breach disclosure efforts must be fully scalable to address the needs of both small- and large-scale data security breaches. Enterprises should also evaluate outsourcing providers that are capable of responding appropriately to a mass security breach by providing communications and remediation services.
• Disclosure alone is not an adequate response. The enterprise must also be prepared to offer remediation measures, and these must be appropriate, timely and effective. Many of the forms of remediation that are typically offered are none of these things. Enterprises facing data breaches, for example, sometimes offer their customers paid-for credit-monitoring services, which are often ineffective and unnecessary, because the data that has been compromised cannot be used in taking out a new loan — which credit report monitoring watches for. In any case, U.S. consumers are legally entitled to three free credit reports per year (see www.annualcreditreport.com ). Fraud alert services — another common response — are more effective than credit report monitoring, because they prevent a new loan being taken out before the fact, rather than simply reporting it after the fact, but their protections are also limited, because they only guard against new-account or loan creation using the victim's stolen identity information. Identity monitoring is generally a more-effective solution, since it monitors more than just credit files, but is still limited in the types of fraud against potential victims that it can catch. The most effective form of assistance is also the most costly — personalized remediation services that cover the victim's time and expenses, and fraud losses attributable to the breach.

The bottom line: Enterprises that handle sensitive data — whether payment card data, personal health information or personally identifiable information of any kind — cannot afford to wait for legislators and regulators to establish common rules for data security breach disclosure. They must act to establish their own practices in this area.