Breach Notification Research Articles

Investigating Effectiveness of Informing Users About Breach Status of Their Email Addresses During Website Registration

The ever-increasing number of data breaches targeting user credentials has become undeniable reality in our digital age. Although there are third-party breach notification services (e.g., Have I Been Pwned, Firefox Monitor) that allow users to check whether their credentials have been involved in data breaches, the number of users who are aware of or use such services may be limited. To better inform users about the breach status of their accounts, we designed a prototype registration system where the website uses readily available information (e.g., email address) to check whether this account was involved in a data breach, and then inform the user about the breach status of the email address while signing up for a website. We investigated the effectiveness of this system by performing an online study (n = 373) in which participants were asked to register to a mock-up website that presented them with a data breach notification based on Protection Motivation Theory (PMT). We found that 64% of participants were exposed in one or more breaches. A follow-up survey, 3 days after the initial survey, was conducted to determine if there were any behavior changes (e.g., changing passwords) of participants whose accounts were involved in some data breaches. We found that 40% of the participants changed their passwords on their some accounts. Finally, we present our qualitative data analysis to shed light on participants’ motivations behind their decisions as well as their perceptions of the integration of our prototype registration system.

MANAGING INDONESIAN DATA BREACH NOTIFICATION IN THE FINANCIAL SERVICES SECTOR: A CASE FOR ONE-STOP NOTIFICATION MODEL

As a business of trust, the banking and financial services industry must protect its reputation to ensure consumer’s confidence. However, recent adoption of emerging internet communication technologies (ICT) have introduced new risks and challenges, such as safeguarding systems from cyberattacks and protecting consumer’s personal data. Cyberattacks, especially ransomware have shed new light on the importance of privacy and security throughout the banking and financial industry’s digitization efforts. Any organisation affected by cybersecurity attacks must face a twofold legal question. First, whether or not there has been a violation of the legal security requirements? Second, is to determine whether the attack triggers Data Breach Notification to the Data Protection Authority and/or Data Owners. This paper examines the complexity of maintaining security obligations under Indonesian Law (UU ITE, UU PDP, RPP PDP, and other relevant regulations) while also highlighting the common challenges in steering Data Breach Notification, with an enhanced perspective of the European General Data Protection Regulation (EU GDPR) practices. To address the challenges of patchwork data breach notification requirements in Indonesia, this paper proposes a proactive approach by Indonesia’s future Personal Data Protection Authority in creating a one-stop notification model to enable effective data breach incident management and notification.

Study of Cybersecurity Laws and Regulations

In the modern digital era, cybersecurity has become a crucial field due to the increase in cyberthreats and assaults, which pose serious hazards to people, businesses, and countries. To meet these changing difficulties, a wide range of national and international cybersecurity rules and regulations have been developed. This research paper explores a thorough analysis of these laws and regulations. The first section of the report gives an overview of the state of cybersecurity throughout the world, emphasising how frequently and how sophisticatedly cyber-attacks are becoming. After that, it takes a close look at the laws that control cybersecurity in both the public and private domains. The paper addresses the jurisdictional issues that emerge in the globally interconnected realm of cyberspace and investigates the fundamental ideas that support cybersecurity legislation, such as data protection, breach notification, and responsibility. Additionally, the study paper examines important cybersecurity laws from across the globe, such as the Cybersecurity Information Sharing Act of the United States, the California Consumer Privacy Act, and the General Data Protection Regulation (GDPR) of the European Union (CISA). The efficacy of these measures in protecting confidential data and reducing cyber risks is assessed.

Cybersecurity compliance in financial institutions: A comparative analysis of global standards and regulations

Cybersecurity is a critical concern for financial institutions worldwide, given the increasing frequency and sophistication of cyberattacks. This paper conducts a comparative analysis of global standards and regulations governing cybersecurity compliance in financial institutions. By examining the regulatory frameworks of key jurisdictions, including the United States, the European Union, and Asia-Pacific countries, this study aims to identify common trends, differences, and best practices in cybersecurity compliance. The analysis begins by outlining the regulatory landscape for cybersecurity in financial institutions, highlighting the key objectives and principles underlying these regulations. It then compares the regulatory frameworks of different regions, focusing on areas such as data protection, incident response, and risk management. By examining the specific requirements and guidelines set forth by each jurisdiction, this study identifies the strengths and weaknesses of current cybersecurity regulations and offers recommendations for enhancing compliance and resilience. One of the key findings of this study is the increasing convergence of global cybersecurity standards, driven by the interconnected nature of the financial sector and the need for harmonized regulatory approaches. While differences in regulatory frameworks still exist, particularly in areas such as data protection and breach notification, there is a growing recognition of the need for international cooperation and information sharing to combat cyber threats effectively. The study also highlights the challenges faced by financial institutions in achieving cybersecurity compliance, including resource constraints, evolving cyber threats, and the complexity of regulatory requirements. It underscores the importance of implementing robust cybersecurity measures, such as encryption, multi-factor authentication, and regular security audits, to mitigate these challenges. In conclusion, this comparative analysis provides valuable insights into the global landscape of cybersecurity compliance in financial institutions. By identifying common trends and best practices, this study aims to assist policymakers, regulators, and financial institutions in enhancing their cybersecurity posture and effectively addressing the evolving cyber threat landscape.

POTENTIAL CONFLICTS IN PERSONAL DATA PROTECTION UNDER CURRENT LEGISLATION IN VIETNAM COMPARED WITH EUROPEAN GENERAL DATA PROTECTION REGULATION

Background: Transatlantic data transfers are a critical component of the global digital economy, facilitating commerce and communication among countries worldwide. However, these transfers have been fraught with legal and regulatory challenges, particularly concerning protecting personal data due to the lack of a comprehensive global privacy law. Methods: This comparative, descriptive study exploits secondary resources by comparing and contrasting the principles of the European General Data Protection Regulation and the new Decree on personal data protection in Vietnam to provide deep insights into the differences between them. Results and Conclusions: Although the Decree takes advantage of many of the European General Data Protection Regulation's principles, i.e., the rights of data subjects, consent requirements, and the need for impact assessments, it has its provisions specific to the Vietnamese context, such as the absence of "legitimate interests" as a legal basis for processing and the unique enforcement mechanisms. Despite many similarities, the specific requirements around consent, data subject rights, breach notification, extraterritorial data transfers, and enforcement mechanisms might result in conflicts among these legislative documents. The Decree, which would become more effective, shall rely on its enforcement mechanisms and the ability to impose meaningful sanctions for non-compliance; thus, it should incorporate a more detailed sanctions regime to deter violations effectively.

Blockchain based general data protection regulation compliant data breach detection system

Context Data breaches caused by insiders are on the rise, both in terms of frequency and financial impact on organizations. Insider threat originates from within the targeted organization and users with authorized access to an organization’s network, applications, or databases commit insider attacks. Motivation Insider attacks are difficult to detect because an attacker with administrator capabilities can change logs and login records to destroy the evidence of the attack. Moreover, when such a harmful insider attack goes undetected for months, it can do a lot of damage. Such data breaches may significantly impact the affected data owner’s life. Developing a system for rapidly detecting data breaches is still critical and challenging. General Data Protection Regulation (GDPR) has defined the procedures and policies to mitigate the problems of data protection. Therefore, under the GDPR implementation, the data controller must notify the data protection authority when a data breach has occurred. Problem Statement Existing data breach detection mechanisms rely on a reliable third party. Because of the presence of a third party, such systems are not trustworthy, transparent, secure, immutable, and GDPR-compliant. Contributions To overcome these issues, this study proposed a GDPR-compliant data breach detection system by leveraging the benefits of blockchain technology. Smart contracts are written in Solidity and deployed on a local Ethereum test network to implement the solution. The proposed system can generate alert notifications against every data breach. Results We tested and deployed our proposed system, and the findings indicate that it can accomplish the insider threat mitigation objective. Furthermore, the GDPR compliance analysis of our system was also evaluated to make sure that it complies with the GDPR principles (such as right to be forgotten, access control, conditions for consent, and breach notifications). The conducted analysis has confirmed that the proposed system offers capabilities to comply with the GDPR from an application standpoint.

HHS Office for Civil Rights opens investigation into UnitedHealthcareGroup cyberattack

Last week, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other health care entities. The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which require that HIPAA covered entities – virtually all health care providers, clearinghouses, and insurance companies – protect the privacy and security of protected health information. The likelihood that substance use disorder (SUD) treatment information was included in the breach is very likely. However, OCR does not mention 42 CFR Part 2, just HIPAA. HHS views ransomware and hacking as the “primary cyber threats in health care.” There has been a 256% increase in large breaches involving hacking, and a 264% increase in ransomware, over the last 5 years, and this only includes those breaches OCR was notified of. $22 million was reportedly paid to the Change Healthcare hackers, in the form of bitcoin, likely from UHG, according to news reports. HHS OCR says: “If you believe that your or another person's health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.” The one bright side of the new Part 2 rules are that OCR now enforces the regulation.

Data breach disclosures and stock price crash risk: Evidence from data breach notification laws

Exploiting the staggered adoption of data breach notification (DBN) laws, which obligate firms to disclose data breaches when they occur, as an exogenous shock to data breach disclosures, we find that the adoption of these laws leads to higher future stock price crash risk. The positive relation between DBN laws and crash risk is more pronounced for firms with weaker corporate governance, higher financial constraints, and higher information asymmetry. Our findings suggest that investors' concerns about the consequences of data breaches and the vulnerability of breached firms' data security heighten stock price crash risk.

The unintended cost of data breach notification laws: Evidence from managerial bad news hoarding

AbstractWe investigate how nonfinancial disclosure laws exacerbate agency issues in firms. Our analysis focuses on the staggered adoption of state‐level notification laws that require firms to disclose data breaches. Our findings reveal that the introduction of these laws increases the risk of stock price crashes. Managers appear motivated to accumulate unfavorable news in an effort to prevent market overreactions associated with the mandatory disclosure of data breaches. Cross‐sectional analyses also reveal that the impact is stronger when managers have a greater incentive, or greater ability, to hoard information. Our results highlight that nonfinancial disclosures can have unintended consequences for firm information asymmetries and potentially adverse market impacts in cases where the regulation is unable to consider all stakeholders.

European Union ∙ Security of Processing and Data Breach Notification: New Guidance in View of Decisions in the One-Stop-Shop Procedure

European Union ∙ Security of Processing and Data Breach Notification: New Guidance in View of Decisions in the One-Stop-Shop Procedure

Balancing AI innovation with data protection: A closer look at the EU AI Act

In this paper the authors explore the intricate relationship between artificial intelligence (AI) innovation and data protection within the framework of the EU AI Act.1 This groundbreaking legislation addresses the challenges posed by the rapid advancement of AI to safeguarding individual privacy rights. The paper analyses the EU AI Act's provisions, including in-scope entities, extraterritorial applicability, AI system classification, permitted usage and breach notification. It delves into the protection of individuals' fundamental rights, transparency and consent mechanisms. Ultimately, the study underscores the EU AI Act's significance in shaping responsible AI development amid evolving data protection concerns.

Do US State Breach Notification Laws Decrease Firm Data Breaches?

Abstract From 2003 to 2018, all 50 states and the District of Columbia enacted breach notification laws (BNLs) mandating that firms suffering data breaches provide timely notification to affected persons and others about breach incidents and mitigation responses. BNLs were supposed to decrease data breaches and develop a market for data privacy where firms could strike their preferred balance between data security quality and cost. We find no systemic evidence for either supposition. Results from two-way difference-in-difference analyses indicate no decrease in data breach incident counts or magnitudes after BNLs are enacted. Results also indicate no longer-term decrease in data misuse after breaches. These non-effects appear to be precisely estimated nulls that persist for different firms, time-periods, data-breach types, and BNL types. Apparently inconsistent notification standards and inadequate information dissemination to the public may explain BNL ineffectiveness. An alternative federal regime may address these shortcomings and let a national BNL achieve goals state BNLs have apparently failed to meet.

LAC and OPI advise FTC to protect privacy rights of people with SUDs

In an August 8 letter to the Federal Trade Commission (FTC), the Legal Action Center (LAC) and the Opioid Policy Institute (OPI) urged the agency to clarify and strengthen its proposal to modernize the Health Breach Notification Rule (HBNR). The proposal by the FTC, published in the Federal Register on June 9 (https://www.federalregister.gov/documents/2023/06/09/2023‐12148/health‐breach‐notification‐rule), does not adequately cover substance use disorders (SUDs), but rather refers to categories and silos like “physical health” and “mental health.” This leaves interventions for SUDs — and drug use itself — in a “regulatory and policy blind spot,” according to the letter, a copy of which was obtained by ADAW.

The GDPR’s Rules on Data Breaches: Analysing Their Rationales and Effects

The General Data Protection Regulation (GDPR) requires an organisation that suffers a data breach to notify the competent Data Protection Authority. The organisation must also inform the relevant individuals, when a data breach threatens their rights and freedoms. This paper focuses on the following question: given the goals of the GDPR’s data breach notification obligation, what are its strengths and weaknesses? We identify six goals of, or rationales for, the GDPR`s data breach notification obligation, and we assess the obligation in the light of those goals. We refer to insights from information security and economics, and present them in a reader-friendly way for lawyers. Our main conclusion is that the GDPR’s data breach rules are likely to contribute to the goals. For instance, the data breach notification obligation can nudge organisations towards better security; such an obligation enables regulators to perform their duties; and such an obligation improves transparency and accountability. However, the paper also warns that we should not have unrealistic expectations of the possibilities for people to protect their interests after a data breach notice. Likewise, we should not have high expectations of people switching to other service providers after receiving a data breach notification. Lastly, the paper calls for Data Protection Authorities to publish more information about reported data breaches. Such information can help to analyse security threats.

Data Privacy Regulations in Ghana: A Guide to GDPR Compliance for Businesses

The protection of personal data is a top priority for both individuals and organizations in the modern digital world. In the Ghanaian context, strict data privacy laws are essential to protecting citizens' rights and privacy. The legal foundation for these restrictions is the 1992 constitution of Ghana and Data Protection Act, specifically the Data Protection Act, 2012 (Act 843), which establishes the guidelines for legitimate data processing, the responsibilities of data controllers and processors, and the rights of data subjects. Compliance with local laws, however, may not be sufficient for enterprises operating on a worldwide scale or in international marketplaces as a result of the fact that globalization and digitalization cut across national boundaries. This article delves into Ghana's complex data privacy landscape, illuminating key points and providing suggestions for how businesses can improve their data protection practices by adhering to internationally recognized data protection standards like the General Data Protection Regulation (GDPR) of the European Union. Understanding the fundamental principles of Ghana's Data Protection Act, the scope and applicability of GDPR in Ghana, the importance of data mapping and inventory, the function of Data Protection Impact Assessments (DPIAs), consent and the rights of data subjects, data security and breach notification, and the potential sanctions for non-compliance are some of the key areas of focus. Readers can obtain a profound awareness of Ghana's data privacy landscape and the procedures necessary to successfully align with national and international data protection regulations by navigating this in-depth exploration. Businesses that prioritize compliance with data protection regulations in Ghana are better positioned not only to meet legal requirements but also to foster trust, drive innovation, and contribute to the nation's digital advancement on the global stage. In an ever-evolving digital world where data privacy is paramount.

Breach Notification in the General Data Protection Regulation

Breach Notification in the General Data Protection Regulation

Observing 2021–22 data breach decisions of the Irish Data Protection Commission

The Irish Data Protection Commission (DPC) regulates many of the top global technology companies and as such its decisions have a significant impact on the companies and on the many users of their platforms. This article examines a number of recent data breach decisions of the DPC and finds them forensic, focused, reasoned and formulaic in approach. The decisions deal with key General Data Protection Regulation (GDPR) provisions, notably on requirements for data breach notification and communication with data subjects. In a change of strategy earlier this year, the DPC no longer offers guidance to controllers dealing with a breach, as was its previous practice. Decisions such as these are likely to help fill that vacuum.

Googling Patients

Googling Patients

Do data breach notification laws reduce medical identity theft? Evidence from consumer complaints data

AbstractAs the number of data breaches in the United States grows each year, cybersecurity has become an increasingly important policy area. The primary mechanism for regulating and deterring data breaches is the “data breach notification law.” Every US state now has such a law that mandates that certain organizations disclose data breaches to their data subjects. Despite the popularity of these laws, there is relatively little evidence about their effectiveness at deterring breaches, and therefore reducing identity theft. Using medical identity theft panel data collected from the Consumer Financial Protection Bureau, this study implements an augmented synthetic control approach to analyze the effect of California's 2016 data breach notification standards on medical identity theft. This approach suggests that medical identity theft reports in California were reduced by 3.5 reports/100,000 people.

Health advertising on Facebook: Privacy and policy considerations

SummaryIn this study, we analyzed health-advertising tactics of digital medicine companies (n = 5) to evaluate varying types of cross-site-tracking middleware (n = 32) used to extract health information from users. More specifically, we examine how browsing data can be exchanged between digital medicine companies and Facebook for advertising and lead generation and advertising purposes. Our analysis focused on companies offering services to patient advocates in the cancer community who frequently engage on social media. We co-produced this study with public cancer advocates leading or participating in breast cancer groups on Facebook.Following our analysis, we raise policy questions about what constitutes a health privacy breach based on existing federal laws such as the Health Breach Notification Rule and The HIPAA Privacy Rule. We discuss how these common marketing practices enable surveillance and targeting of medical ads to vulnerable patient populations without consent.