The Effects of GDPR's 72-Hour Notification Rule

The EU’s GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem:

Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete. 1) Announce & cop to max possible impacted users.

2) Everybody is confused on actual impact, lots of rumors.

3) A month later truth is included in official filing.

Last week’s Facebook hack is his example.

The Twitter conversation continues as various people try to figure out if the European law allows a delay in order to work with law enforcement to catch the hackers, or if a company can report the breach privately with some assurance that it won’t accidentally leak to the public.

The other interesting impact is the foreclosing of any possible coordination with law enforcement. I once ran response for a breach of a financial institution, which wasn’t disclosed for months as the company was working with the USSS to lure the attackers into a trap. It worked. […] The assumption that anything you share with an EU DPA stays confidential in the current media environment has been disproven by my personal experience.

This is a perennial problem: we can get information quickly, or we can get accurate information. It’s hard to get both at the same time.

EDITED TO ADD (10/27): Stamos was correct. Later reporting clarified the breach:

Facebook said Friday that an on its computer systems that was announced two weeks ago had affected 30 million users, about 20 million fewer than it estimated earlier. But the personal information that was exposed was far more intimate than originally thought, adding to Facebook’s challenges as it investigates what was probably the most substantial breach of its network in the company’s 14-year history.

Posted on October 3, 2018 at 3:24 PM • 13 Comments