Instilling company trust and confidence with data breach disclosures

Data breach. A bit of a taboo word in our industry. But they happen, a lot. They can be damaging for authorities, businesses and companies, both financially and reputation-wise.

A recent global digital trust insights survey by PWC cited that nearly a third of senior executive respondents unfortunately experienced a data breach, costing millions of pounds. However, on the upside, the report also stated that over three-quarters believed that mandatory full disclosure of cyber incidents can help gain stakeholder trust and confidence.

In addition, a global consumer trends study on how brands take a proactive stance to privacy management since the pandemic, backed this sentiment of trust. Nearly two-thirds of consumers said they would stop buying from companies and organisations who did not proactively report a data breach – because of distrust.

Trust is key both for consumers and companies worldwide. The onus is on businesses needing, and wanting, to ensure that personal data is protected from misuse, as well as respecting the rights of data subjects.

So much so, that it has become central to company culture and business practices to drive customer trust, according to this year’s data privacy study by Cisco. As a result of customers wanting more transparency, more and more companies are protecting consumer data and taking responsibility to treat such data ethically.

While another published report by Ketch and Magna cited that people feel more strongly about data privacy than any other ethical topic, such as sustainability or diversity.

Trust culture is real. It takes years to build, but seconds to lose. But how can companies and organisations navigate through a data breach, and still be seen as transparent and trustworthy?

In fact, data breach disclosure can be responsibly and favourably done. The idea is to be proactive, not knee-jerk reactive.

From a regulatory standpoint, the European Union and United Kingdom versions of the General Data Protection Regulation (GDPR) have instilled a duty on all organisations to report certain data breaches to the relevant supervisory authority or the Information Commissioner's Office (ICO), within 72 hours of the incident. In the UK, the ICO has created a mandatory breach reporting guide and tool to assist organisations in making such a report. However, here's where it gets more complicated: organisations processing in both the EU and UK must notify the relevant supervisory authority and the ICO.

This includes informing individuals whose rights and freedoms are at high risk; ensuring detection, investigation and internal report procedures are in place; and keeping a record of any personal data breaches, even if not all needs to be reported. The majority of companies across the country are clear on the checklist of preparing and responding to a data breach, as failing to do so can result in a hefty fine or two percent of its global turnover.

It’s worth noting that hiding a data breach not only has damaging consequences financially, but it can involve huge risks legally too.

In a recent landmark case in the United States, former chief security officer for Uber, Joe Sullivan, was found guilty of criminal obstruction, after it was ruled that he failed to report a major cyber security incident for over a year to US regulators in 2016, with defence lawyers arguing that these actions were taken to prevent exposure of user data.

Although data laws in the US differ to the UK, such a high-profile case has spotlighted and set the precedence of the importance on data privacy and transparency – not only in the US, but worldwide.

If a similar situation happened in the UK, this too would be considered a notifiable ‘personal data breach’, as examined by the Guardian. So, taboo as it may be, taking action for a data breach is the only trust-proof option.

To keep on top of data protection and privacy law news, go to our 5 Essential Data Protection Resources for more details.