When domestic data breaches seem to grab headlines so regularly, it can be tempting to overlook the global nature of data breaches. However, just as economies and businesses are entwined around the world, so too are the risks of a data breach a global concern.
In our 2017 Data Breach Industry Forecast, Experian Data Breach Resolution predicted the impact of international data breaches would grow this year. With the implementation of the European Union’s General Data Protection Regulation (GDPR) less than a year away, and data breach regulations pending in Canada and Australia, we predicted companies would need to re-examine and adapt their incident response plans to meet the demands of global compliance.
In 2016, approximately 10 percent of the incidents our data breach resolution team serviced were international in nature, and we expect that number to double this year. Recent international breaches such as the TalkTalk scam in the United Kingdom, the Wonga data breach that affected consumers in the UK and Poland, and the O2 incident in Germany show our estimate could be on track.
Further evidence that global data breaches are escalating: 51 percent of the security professionals polled by Ponemon Institute for the report Data Protection Risks and Regulations in the Global Economy said their companies had experienced at least one global data breach in the past five years. In fact, 56 percent of breached companies said they had experienced multiple international data breaches.
The GDPR effect
The GDPR will take effect in May 2018. At that time, companies that store the personal data of European Union consumers will have to comply, regardless of where the company is located. Under the GDPR, companies that discover a breach affecting EU citizens will need to notify regulators of the breach within 72 hours of its discovery, and affected consumers “without undue delay.”
It’s likely that many companies will struggle with those compliance time frames. In fact, half of those surveyed by Ponemon said they had experienced a breach that required them to notify victims, and only 10 percent were able to do so within 72 hours. More commonly, notification took two to five months to complete.
Global threats, global preparation
As the threat of international data breaches continues to grow, and regulatory pressures increase, it will be imperative for companies that do business internationally to adapt their data breach response plans to address international incidents. Governments are increasingly aware of data security, and the GDPR will not be the only international regulation companies will have to be aware of and prepared for.
Companies should become familiar with the data security regulations for each region in which they operate, tailor a data breach response plan for each area, and practice data breach response scenarios accordingly.