Understanding breach notification delays

If your personal data is exposed or stolen in the course of a data breach, you will almost always be notified of the fact. But the notification can arrive days, weeks, and even months after the actual breach occurs.

It’s reasonable to be concerned about this, since any delay gives the criminals responsible for the breach more time to misuse your data, including to potentially steal your identity — which can have devastating consequences.

Nonetheless, it’s important to understand that there are several factors that affect how long it takes to be notified of a data breach that affects you. Some of them are perfectly legitimate. Some reveal weak security practices. And some are simply unacceptable.

What does the law say?

Before getting into the various factors that can delay notification, let’s quickly review some of the laws and regulations that breached organizations have to follow.

• The European Union’s General Data Protection Regulation (GDPR) provides one of the strictest regulations, requiring organizations to notify affected persons of a data breach “without undue delay and not later than 72 hours after becoming aware of it.”
• In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires organizations to report any breach of personal health record data (PHR) to both the U.S. Department of Health and Human Services and to all affected persons “without unreasonable delay” and in any case within 60 days.
• In March of 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires operators of critical infrastructure to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours of discovery.
• Also in the U.S., each state has its own data breach notification law. These can vary considerably. Some, like California’s, do not set a specific timeline but state that affected parties must be notified “without unreasonable delays.” Others, like Arizona’s, require notification within 45 days of the occurrence of a breach.

Despite this patchwork of laws and regulations, it is not uncommon for breaches to go unreported until well past the required date, although this appears to be happening less often than in years past.

Reasons for delays

Delayed breach detection

One common reason for delayed notification is that the organization in question only discovered the breach long after it occurred.

Cybercriminals who successfully penetrate a target network typically spend weeks or months exploring their target’s data stores, acquiring higher-level credentials, and so on, without being detected. This type of attack is often called an advanced persistent threat. So even if an organization notifies affected individuals immediately after discovering a breach, it’s entirely possible that by then the data has been in criminal hands for a long time.

While this type of delay may be understandable, it does indicate that the breached organization could probably stand to improve its cybersecurity posture. Modern solutions to detect compromised accounts, impersonation, unauthorized data exfiltration, and illegitimate internal data traffic (such as Barracuda Email Protection) can help ensure that even if a network is penetrated, the breach is detected quickly.

Police investigation

Occasionally breached organizations will bring law enforcement organizations in to investigate a breach as a criminal act. In such cases it is not unusual for the investigating agency to prevent the organization from issuing public notifications, usually out of concern that the criminals might then take steps to cover their tracks and avoid prosecution.

Obviously, this sort of delay is not the fault of the breached organization. And in fact, if the lack of notification helps lead to the apprehension of the criminals involved, then it may actually mean that affected individuals are exposed to lower levels of risk from the potential misuse of their stolen data.

Third-party delays

Many organizations outsource the processing, storage, or management of protected data to third parties. When these third-party companies are breached, it is still the responsibility of the primary data-holder to notify affected parties — but if the third-party company fails to inform them of the breach in a timely manner, then that delay is unavoidably passed on to affected customers or employees even if the primary organization has the best of intentions.

This is what happened to the Chicago Public Schools system (CPS). In December 2021, a technology vendor called Battelle for Kids was breached, exposing data for about half a million students. Battelle did not notify CPS, however, until late April 2022. They claimed to have good reasons for the delay, but CPS states that any delay was a violation of their contract.

Reputational concern

Every now and then, it is revealed that an organization has delayed notification for long periods — or simply declined to make a breach public at all — out of a concern for its own reputation, stock price, etc.

I guess you can call that understandable. After all, several large organizations have suffered very significant losses of business, revenue, and market capitalization following major data breaches — for example, Target’s infamous breach of credit-card data in 2013. Nonetheless, it’s illegal; it demonstrates contempt for customers and employees whose lives may be heavily affected; and in the long run it’s ineffective because the truth eventually comes out, and the subsequent hit to their reputation ends up being more severe than it had to be.

One recent example of a company learning that lesson the hard way is Uber. When it suffered a major data breach in 2016, it hid that information for more than a year — and the backlash when it was discovered was considerable. In 2022, by contrast, Uber disclosed a new data breach immediately, even before having fully analyzed the nature and scope of the hack.

The (mostly) good news

Unfortunately, breaches continue to occur on a depressingly regular basis. And so much data has already been breached and posted for sale on the dark web that security pros have to assume that criminals have access to credentials and compromised accounts.

But on the positive side, delays in breach notifications have become a lot less common then even just a few years ago. Partly this is due to better enforcement and stiff fines for violations of notification rules, and partly it can be ascribed to increasing understanding that trying to hide a breach is more costly in the long run than revealing it promptly (viz. Uber above).

And another positive angle is that many of the breaches that do occur are in fact preventable. By implementing modern platform-based solutions for email protection, network protection, app and API protection, and data protection, most organizations can dramatically reduce their risk of a breach — thus protecting all their customers, employees, and other stakeholders from the very real dangers of personal or financial data falling into the wrong hands.

Subscribe to Journey Notes