Let’s evaluate one of the more prominent requirements of the GDPR obligation: the mandatory 72-hour breach-notification requirement.
The GDPR Article 33 requires that, in the event of a personal data breach, the data controller – without undue delay and, where feasible, no later than 72 hours after becoming aware of it – notify the appropriate supervisory authority.
While the GDPR applies to the 28 EU member states, the UK’s data-privacy watchdog (and GDPR enforcer), the Information Commissioner’s Office (ICO), received 1,750 breach reports in June, up from 400 reported in both March and April. This seems to be the climate in the post-GDPR era.
It is important to note, however, that the number of data-breach notifications the ICO received in June may not necessarily equate to confirmed data breaches. A key takeaway from this statistic is that the businesses are recognizing that under the GDPR, reporting a data breach within the stipulated time may result in a lower fine.
Are you equipped to handle the speed the GDPR requirement mandates? Fumbling through the breach notification process may be disastrous.
To minimize the impact of a personal data breach, it is necessary for organizations to have a call-to-action 72-hour incident-response plan with a clear policy, consistent processes around detection and explicit 72-hour reporting requirements in place and tested.
In Article 4 of the GDPR, a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data.
The GDPR relies heavily on a risk-based approach to determine the level of risk that triggers a personal data-breach notification. What might appear to be a risk to the rights and freedoms of individuals by one may differ from another. When in doubt, report it.
- The standard for notification to supervisory authorities is when the personal data breach is likely to result in a “risk to the rights and freedoms of natural persons.”
- The standard for notification to data subjects is a personal data breach that is likely to result in a “high risk to the rights and freedoms of natural persons.”
Once an incident of a personal data breach is detected, an organization must be prepared to activate its incident-response plan with the goal of quick escalation and decision-making. The plan should have steps to identify – the type of breach, who is on point, how to contain, when and whom to notify, what entities to notify, forensics actions, and appropriate risk management.
A good plan should further show key actions that may be necessary to contain and recover from the incident as you prepare to notify.
The following eight-step incident-response strategy can help your organization build an effective 72-hour incident-response program for timely responses to a personal data breach as mandated by the GDPR:
- Establish a formal incident-response plan and policy. An incident-response policy outlines the organization’s expectations around response to an incident. In a nutshell, it should clearly lay out who, where and how organization should respond to the incident. Such a policy should have:
- The composition of the incident-response team and member roles and responsibilities
- An outline process to identify, analyze, contain, eradicate and recover from the incident
- The level of risk tolerance and response priorities that is appropriate to the organization
- A high-level communication plan to handle messaging related to incident management.
- Form an incident-response team, and identify roles and responsibilities of team members. Since various companies have staffs of differing sizes and skill sets, here are a few key roles to keep in mind:
- C-level leader on point to own and draft policy and plan. These plans are often created by a CISO or CRO, with some participation from legal counsel. This leader further drives decision-making when dealing with an incident.
- Team leader who drives and coordinates all incident-response activities and keeps the team focused on containing and recovering quickly.
- Lead investigator who drives forensics and directs information-security analysts.
- Communication lead, a dedicated resource who, as communication plays a key role in incident management, should lead the internal and external messaging.
- HR/legal representation, because it is essential, with any personal data breach, to have legal and HR guidance and participation.
- Identify a resource to backfill with in case of absences or emergencies.
- Develop a communication plan that outlines who is authorized to make decisions, who takes actions, what to communicate, and who communicates and to whom – customers, authorities, law enforcement, insurance, media, etc.
- Create necessary templates to drive data-breach reporting requirements. You may be able to find publicly available templates online that can give you an idea as to what to include in your notifications.
- Ensure that the plan considers incident severity, potential impact on employees and customers, and appropriate level of messaging.
- Communications of this nature should be conveyed only by those in charge of messaging.
- Keep your personal data inventory up-to-date so you are able to isolate issues and technically respond to a breach effectively.
- Assess your attack-surface landscape for possible threats and implement necessary incident-detection and incident-tracking
- Keep in mind that threats are ever evolving and changing, and so is your attack surface.
- Threats range anywhere from data theft to insider threat to network attacks.
- Update your security posture to fit the current threat climate.
- As important as it is to report a data breach to the authorities and impacted individuals, it is equally or more critical to contain, remediate and recover within a reasonable time.
- The faster the incident’s containment, the less the cost damage and disruption to the business.
- Once the issue is isolated, it is time to enable a remediation plan while you launch a forensic analysis of the problem. Remediation could mean backups need to be implemented.
- It is necessary to continuously monitor following remediation to ensure that the problem has been fully resolved and all threats have been removed.
- In order to properly access your organization’s readiness for an actual incident, ensure that the incident-response team is trained and that there is sufficient awareness within the organization in its role during a data breach. Train and practice the plan routinely, ideally on a quarterly basis.
- Regularly audit and incorporate lessons learned into your incident-response program and learn from past mistakes. Compile a detailed report of what happened and what corrective measures were taken toward ensuring that the same incident will not occur again.
An incident-response program is a continuous process and not a “snapshot in time” and should be considered as an integral part of your information-security and business-continuity operations.
Now, ask yourself, “Are we ready?”
We have covered, and will continue to cover, data-privacy issues on our blog. You can also check out the GDPR resources page on our website.