Whenever a data breach happens and sensitive data is exposed, the HIPAA Breach Notification Rule demands the notification of affected persons. The FTC Health Breach Notification Rule additionally includes requirements for breach reporting, and all 50 states have passed data breach notification regulations. What is missing in a lot of these federal and state policies is what should be included in the notification letters.
A couple of years ago, most breach notification letters included reasonably detailed facts concerning the breach. However, today, data breach victims are commonly given the bare minimum data to adhere to federal and state rules, which makes it hard for affected individuals to evaluate the level of danger they face correctly.
Although it was typical to report ransomware attacks as such, many are reported as hacking incidents and data theft or file encryption is not mentioned. Even if attacks involved the stealing of sensitive information and data exposure on data leak websites, often victims are informed that attackers potentially accessed or stole their data.
The trend mentioned above was confirmed in the 2022 Data Breach Report from the Identity Theft Resource Center (ITRC). In 2022, 66% of data breach notifications didn’t have the required facts to enable individuals and companies impacted by those data breaches to correctly evaluate the potential threats. In 2022, merely 34% of breach notifications provided details about the victim and attack. That is the smallest number in the last 5 years. Compare that with the 2019 statistics, where about 100% of notifications contained details of the attack, and 72% of notifications provided details of the attack and victims.
As per the ITRC, for the majority of the last 20 years, data breach notifications included enough information to enable breach victims to correctly measure risk. However, from Q4 of 2021, there is less information provided in data breach notifications and that pattern increased up to 2022. In 2022, of the 1,802 data breaches, 747 did not indicate the underlying cause of the breach, although 1,595 compromises were associated with cyberattacks.
Eva Velasquez, CEO of ITRC stated that a sudden loss of transparency in the information of data breach notifications increased the risk for victims and uncertainty regarding the actual level and effect of data breaches. The consequence is people are mostly not able to keep themselves from the detrimental impact of data breaches which result in an epidemic of identity fraud carried out using stolen or breached data.
The cause of the surprising drop in transparency is uncertain, however, there are a number of theories. It is currently much more prevalent to file lawsuits after data breaches occurred, particularly healthcare data breaches. Although legal action was usually restricted to big data breaches, it is now usual to have multiple lawsuits filed because of a data breach after a few days of issuing the notification letters, quite often even if there was no stolen data misuse.
There were numerous federal court decisions dropping lawsuits because of the inability to supply proof of actual damage. In several states, it isn’t possible to file suit for a greater risk of future harm due to exposed personal data. This may be why breached organizations are currently hesitant to disclose actual data regarding data breaches since it could disclose data that can be utilized in filing a lawsuit against the organization, although the insufficiency of details for breach victims heightens the risk of causing real harm.
The ITRC pulls attention to a number of data breaches at organizations that made an informed decision to hold back details about their data breaches, such as Samsung, LastPass, and DoorDash. The details shared in the data breach notifications were enough to satisfy state specifications yet presented little information to enable breach victims to assess risk. A good example is the LastPass data breach. LastPass issued notifications in August 2022 with regard to a data breach of source code and internal records. The confirmation was only made in December that the master password for password vaults of customers was not compromised. It was also confirmed that GoTo, its parent company, was affected by the breach. The number of affected customers is still unknown.
ITRC furthermore stated that many of the security incidents happening today, with the complexity of attacks, could make it hard to immediately ascertain the cause, the persons impacted, and the possible implications of those security breaches. The economic crisis has led to restructuring and realignment of budgets, thus when forensic studies of data breaches are done, fewer resources could be dedicated to the task, which may raise the time required to know what has occurred. When data breach reporting demands immediate notifications, it is possible to issue those notifications but prior to having detailed breach information.
In 2022, ITRC tracked 1,802 data breaches, the second-highest number for any given year since the ITRC began monitoring and creating data breach reports. There were at least 422 million records of individuals compromised, meaning millions of people were unaware of the details of the breach of their sensitive information and therefore could not properly evaluate the degree of risk they deal with.
With more accurate reporting, consumers can know what steps they should take to keep themselves safe from fraud. It would also make it much easier to get precise data breach stats to discover trends. That data could help lawmakers to make good decisions on where to spend resources to fight the underlying cause of data breaches.
At the government and state levels, the legislation puts the pressure of evaluating risk on the people impacted by data breaches, however, compromised companies usually do not need to give the data that makes it possible to make correct risk assessments. Revising state legislation to call for certain facts about data breaches to be publicized can help consumers to decide correctly about safety measures to take to guard themselves against fraud; nevertheless, it may not be enough incentive to enhance reporting, except if compliance was strongly implemented.
There are government laws demanding breach notifications, however even these aren’t being strongly implemented in their present form. The FTC has not enacted the Health Data Breach Notification Rule for many years and it is uncommon for the HHS’ Office for Civil Rights (OCR) to issue financial fines for Breach Notification Rule violations, even if notifications were issued several months after the discovery of a data breach. It is hard to think about OCR issuing penalties because of the insufficient details in breach notices.