The Case for Uniform Data Breach Reporting

Matthew Honea


May 8, 2019

Data breaches and cyber incidents continue to plague businesses and end users, compromising millions of records each year. Yet, while the volume of these breaches is astonishing, it is sometimes hard to understand what they mean, what a “record” is, and what actions affected companies need to take to resolve the issue and prevent future breaches.

Reporting requirements in the United States are currently administered at the state level. While every state has now adopted some breach notification requirement, with South Dakota being the most recent in mid-2018, the laws are a patchwork of requirements that vary significantly. In addition, industry regulations differ markedly from industry to industry with some possesing no reporting requirements at all.

Because of this, reporting currently does not capture the total number of cybersecurity incidents that occur, nor do they properly explain the severity of each breach. As hackers become more sophisticated, the lack of clear terms around cybersecurity is preventing a better understanding of breach types and the actions needed for protection.

By creating clear terms, definitions and regulations on reporting, the United States can gain greater insights on growing and changing cyber threats that companies face across industries. At the same time, the stigma that current reporting procedures create can be removed by showing the prevalence and true severity of these breaches.

If insurers, who already collect cyber data on breaches for claims purposes, collected all relevant data available on the breach and the exposure that caused it before reporting them to the governing body, it would create a layer of protection for breached companies and better inform underwriting.

The Need for Regulation

Stricter and more uniform regulation will allow for greater understanding the severity of each risk and provide stronger insight into how these breaches are occurring and the steps that can be taken to combat them.

Most states set a reporting minimum for those affected by a breach, so many small-to-medium-sized companies do not have to report their digital thefts. Louisiana, for instance, does not require notification if an incident is not “reasonably likely” to result in harm, although entities must document their determination in writing. Alabama only requires notification if a company determines that unauthorized acquisition of sensitive personal information is reasonably likely to cause substantial harm.

Yet, a growing number of cyberattacks are targeting smaller enterprises, as hackers recognize they can be as attractive as larger corporations. Even though there might be less overall data, security controls are generally less sophisticated and there are fewer staff to monitor abnormalities. There are also orders of magnitude more to target. A 2018 cybersecurity report by Cisco related to small and medium-sized companies found that 53% of mid-market companies in 26 countries recorded a breach. And while these breaches might result in fewer lost records, those records lost could contain sensitive information that would be important to report on.

Why Stricter Regulations Will Help

Tighter regulation will allow for greater insight into how the avalanche of breaches occurs, which can help fight against future attacks. The more information available from all sources about the victims of attacks and what personal information is taken—especially if that information must be submitted quickly—will help cybersecurity experts better determine sources and attack methods, inform underwriting of cybersecurity insurance to provide protection, and inform emerging cybersecurity trends in the United States and globally. Comparing breaches in terms of size is difficult due to the variety in types of breaches. We need additional data, such as the type of breach, the sensitivity of the data lost, time it took to address the breach, type of encryption used, number of duplicates and time the breach occurred along with other details that will allow us to gain a better understanding of the full picture.

In addition, rigorous regulations can help remove the existing stigma of breaches against those targeted and victimized by highlighting the regularity of data fissures. Criticism of weak cybersecurity defenses and monitoring is expected, especially against major enterprises entrusted with private information about millions of customers. But this finger-pointing can encourage others to avoid reporting a breach, leading to more lost, meaningful data.

New data breach requirements in Europe and Canada are likely to put additional pressure on the United States, its states and industries to adopt more uniform reporting and other cybersecurity regulations.

For example, the European Union’s new General Data Protection Regulation (GDPR) requires essentially equal reporting standards for other countries who wish to transfer data out of the EU. The existing U.S. data transfer mechanism, the Privacy Shield framework, is expected to be evaluated in 2019 when the EU conducts its annual review. Some European lawmakers and officials question whether that U.S. framework provides enough protection. In addition, the U.S. has not yet appointed officials to several key privacy oversight positions.

In Canada, new regulations relating to mandatory reporting of privacy breaches went into effect on Nov. 1. These regulations have extra-territorial reach into the United States and include fines of up to $100,000 (CAD) for noncompliance. Previously, much of the Canadian private sector and other private sector organizations were not subject to mandatory privacy breach notification. To comply, organizations will have to revise internal privacy policies and procedures to ensure compliance with the new regulations.

Involving Insurers

One possible solution to help create a standardized process is insurers could collect and process claims data, and then report certain statistics under agreed-upon definitions to a regulating body. A similar system already works with auto insurance and the National Association of Insurance Commissioners (NAIC),where insurers collect all relevant data on collisions and then report what is deemed necessary to the NAIC.

Having insurers play the role of the middle man makes sense for several reasons. Insurers track trends and cyber data about their insured to create effective models. For this to work, data that is reported would need to be standardized. In addition, the data shared by all insurers would have to be compiled and kept by a regulating body. This central unit could require a quarterly reporting of breaches, with anonymous data reported publicly. A review board could help manage the process.

Challenges exist with such a system. The regulating body keeping the data would have to exercise due diligence and oversight on reporting to prevent fraudulent cyber claims and falsified information.

However, two states—South Carolina and Ohio—have passed legislation that obligates insurers to adopt and maintain an information security program to safeguard nonpublic business and personal income. It includes development of a formal incident response plan to respond to a cybersecurity event.

Ohio Gov. John Kasich signed the legislation on Dec. 19 and, under it, the state’s insurance superintendent must be notified of a cybersecurity event no later than three business days after determining an incident occurred, among other requirements. It makes an insurance company’s board of directors accountable for overseeing the insurer’s cybersecurity program.

The South Carolina and Ohio laws are modeled after the National Association of Insurance Commissioners’ Insurance Data Security Model Law. That model law resembles rules adopted by New York’s Department of Financial Securities and is seen as a strong target for setting reporting laws. However, improvements could still be made to the model’s processes, such as adding a validation phase to verify that breaches are properly cleaned up.

Involving the insurance industry and state insurance commissioners in data breach reporting may prove effective in ensuring that more data security incidents are captured, providing a better understanding of cyber risks faced by companies so that issues can be addressed as risks continue to grow. It will be challenging to agree on a common solution to this problem but finding one will allow a better understanding of the risks faced and their consequences down the line.

In the meantime, insurers should work to improve their internal data-reporting and utilization processes by gathering all available breach data to include in models that provide both informative and actionable insights for long term planning and prediction. That way, insurers will be better prepared for any future regulatory reporting and will also be better informed to provide risk insights to clients.
Matthew Honea is director of cyber at Guidewire Software, a provider of an industry platform for P&C insurance.