Twitter has been fined 450,000 euros in Ireland for failure to notify authorities of a data breach within 72hrs – blaming the holiday season for its delay.
One of the key issues concerning the commission’s decision to fine Twitter is whether the organisation complied with its obligation to report the breach within 72 hours.
The area of contention is the length of time it took from the security vulnerability first being disclosed to a third party, to being reviewed by Twitter’s in-house security team, and then a breach notification report being submitted to the Data Protection Commission.
Uncertainty around Twitter’s reporting of the facts surrounding the discovery of the vulnerability and notification of the breach meant that the commission was not able to ascertain whether the tech giant had complied with its obligations. The investigator was of the initial understanding that Twitter had become aware of the breach on the 26th December 2018, eight days prior to a breach notification being submitted.
This case highlights the need for organisations to have well-rehearsed incident response procedures in place, and include third parties in such plans.
As part of its response to the investigation, Twitter claimed that the ‘Winter holiday schedule’ impacted the time that it took to review the vulnerability and establish its impact. As we head into another holiday season, organisations must remember that information security and data compliance does not take a break for Christmas, even if they do.”
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics