Mounting US data disasters show we're lucky to have GDPR

British flag behind a statue of Lady Justice
(Image credit: Getty Images)

In terms of real-world, material experiences, the General Data Protection Regulation (GDPR) introduced myriad irritations, completely overhauling the way we approach and work with data. Implementing its rules proved a nightmare for just about every department within a business, so much so that companies created new job roles for the sole purpose of dealing with the ensuing mess. For staff like you and I, too, we still have to undergo those arduous data protection refreshers every six months. Despite all of this, I have no doubt we’re truly blessed to have GDPR fighting our corner.

With the government locked in the process of overhauling the UK data protection landscape, including UK GDPR and the Data Protection Act (DPA) 2018, I implore ministers not to weaken the rules imposed on companies that suffer data breaches. With GDPR, it isn’t just our personal data that’s safeguarded more stringently. While that’s certainly an upshot, its real benefit lies in holding businesses we know, and trust, to account. The breach disclosure provision has become even more valuable in light of the repeated gross mishandling of cyber attacks across the pond.

When we first learned Miami-based customer services firm Sitel had been targeted by the LAPSUS$ group, Okta CEO Todd McKinnon, whose company and customers were affected as a result, bore the brunt of the backlash. LAPSUS$ revealed its successful campaign on 22 March, days after cyber security firm Mandiant sent its final forensics report to Sitel, which waited more than two months to go public.

With no incentive for the company to come clean about its catastrophic breach, Sitel put its own needs ahead of its customers, which are distributed across nearly every business vertical. The breach should have been made public on 21 January, the day it engaged Mandiant for outside help, and if the firm had to abide by GDPR, it would have had no choice but to do so within 72 hours.

I’m not being pedantic here. Disclosing breaches expeditiously, especially ones that affect customers and their personal data, is massively important for businesses looking to maintain a good reputation.

Letting customers know as soon as you can allows them to change passwords, make pre-emptive calls to their banks if payment information is leaked, even change phone numbers to prevent SIM swapping attacks, and allow them to maintain proper cyber hygiene. It’s maddeningly arrogant, and ignorant, of companies to deprive their customers of the opportunity to safeguard their digital identity and delaying breach disclosures for months does just this.

After four years of familiarising ourselves with GDPR, UK and EU businesses now have responsible disclosure down to a tee. I’ve previously spoken to a host of public relations experts discussing, in part, how irresponsible breach disclosure strategies can harm a business. Almost all of them lauded the case study of Norsk Hydro.

Norsk handled its 2019 breach impeccably. Its response will – or should – be the benchmark -setter for all companies worldwide. With full transparency and sincere apologies coming from every corner, plus the CEO’s personal phone number made available to all those who were affected, Norsk gained credit by facing its problems head-on, experts told IT Pro.

Indeed, Norsk Hydro could well write the data breach disclosure textbook. Despite the respect it garnered, it seems businesses, particularly in the US, are unwilling to emulate its success, unless legally obligated to. The infamous GoDaddy breach was another great example in how not to disclose a cyber security incident. Although a staggering 1.2 million customers were affected by the domain registrar’s breach, it didn’t stop the firm from doing the absolute minimum legally required following the incident.

Instead of owning up to the incident, it made a ‘public’ disclosure in the smallprint of an Securities and Exchange Commission (SEC) report that was substantially difficult to track, even for a seasoned journalist, let alone a member of the public. With each failed click digging me deeper into the SEC website, without a clue where to find this, I became increasingly frustrated but simultaneously relived things aren’t this bad in Blighty.

The cases of LAPSUS$ and GoDaddy aren’t isolated, and you can certainly add Geico, California Pizza Kitchen and Coinbase to a mounting list of US data disasters, some of which were disclosed months after the initial breaches took place. Ubiquiti, too, has been criticised for downplaying the severity of a data breach it revealed in January 2021. We all know, too, of the consequences of the infamous Equifax data breach.

The state of US data protection is genuinely pitiful, and it pains me every time I come to report on another US data disaster. We're so lucky, in the UK, to have been a part of the EU when we enshrined GDPR into domestic law. Now, though, that the government has overseen Brexit, it’s set its sights on overhauling UK data protection to favour less bureaucracy and “box-ticking”.

In its planned overhaul, the government claims it’ll aim to strengthen the protections already afforded to the public while making changes to ensure a more lucrative data economy can be pursued. Boris and his band of suits can do what they want with the UK data protection regime: twist it, turn, it, shake it up. The choice is theirs. My only ask is, whatever changes come about, please don’t do away with mandatory data breach disclosure, or the UK might soon come to emulate the catastrophes we’re becoming accustomed to across the pond.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.