Breach response: How do we reconcile international incident and breach reporting requirements?
The exponential increase in the number of cybersecurity threats has led to privacy and security executives acknowledging the need for reconciliation of incident and breach reporting requirements.
However, any cross-border harmonisation faces significant challenges. For example, there is no consistency in the timeframes within which incidents must be reported, ranging from 24 hours to several days and even months. Under the UK GDPR and EU GDPR, the controller must notify regulators of personal data breaches not later than 72 hours after having become aware of it. In Brazil, this is two working days from the date of receiving knowledge of the incident. In Bangladesh there is no mandatory requirement to report data breaches to any individual or regulatory body. Multinational organisations are understandably struggling to align on a global approach which complies with all the rules in place.
Even within borders it is difficult. In the US, there is significant disparity, with state-level regulators implementing their own rules and over 12 agencies regulating different federal cyber reporting and breach requirements, who may be taking different approaches. To add to the confusion, there is a lack of clarity as to what a "reportable" offence is, as well as ambiguity in phrases used such as "suspicious activity" and "cyber incident". This makes it challenging for the industry to understand the requirements and accordingly ensure compliance with them.
As a result, executives have been calling for those responsible for drafting incident and breach reporting rules to standardise them across borders. The US seems to be leading the charge. The Department of Homeland Security ("DHS") in the US has convened a council with the express purpose of harmonising rules. Robert Silvers, DHS’s undersecretary for strategy, policy and plans, who chairs the council, has spoken of the need to work with foreign governments to ensure alignment on reporting requirements The US has also recently implemented a unified approach to reporting for the certain industries. In 2022, the Cyber Incident Reporting for Critical Infrastructure Act ("CIRCIA") was implemented by the directs the Cybersecurity and Infrastructure Agency ("CISA"). The CIRCIA creates a national set of incident reporting standards with which US critical infrastructure sectors must comply (including, amongst others, energy, financial services, emergency services, healthcare and public sector, defence and communications sectors). The reporting standards require entities within those sectors to inform the CISA if a cyber incident occurs within 72 hours from the time the entity reasonably believes the incident occurred.