GDPR – Can you handle the 72-hour breach notification requirement?
Nearly every security professional knows that the European Union has unleashed a stringent new law called the General Data Protection Regulation (GDPR). Standing out among many complex mandates within GDPR, is the requirement that Data Controllers and Data Processors must notify their country’s Data Protection Authority within 72 hours of discovering a breach of individuals’ personal data.
In the United States, discussions over similar personal data breach notification obligations had gained considerable momentum way back in 2003 with California Senate Bill No. 1386 where the concept rapidly grew to adoption by nearly all States.
Think about all the damage caused to people due to stolen personal identities, credit card details, health records, and other personally identifiable information since 2012 that was caused by negligence, accidents, and break-ins at corporations and government organizations alike. When you think about that, then, you like me, are probably applauding that laws are finally coming into being that put our individual privacy rights and freedoms first – ahead of corporate interests.
So, let’s take a look at how GDPR has shaken things up by placing a mandatory 72-hour deadline on reporting security breaches to authorities and notifying the data subjects (the individuals). That’s three (3) days. A few things that jump out are:
- How confident am I that my security incident actually resulted in a breach of PII? In other words, I want to be very confident that PII was breached before I report the incident to the authorities. Remember, compromised security is NOT considered a breach – you have to determine that.
- How can I pull together a complete forensics package from root cause to lessons learned that quickly? To document your remedial steps, you first need to know what happened. This is called forensics. Root cause analysis determines how the incident happened, then the forensics proceed to all areas impacted by the incident including exfiltration of sensitive data and remedial steps take to prevent further recurrence, and finally to apply lessons learned.
- Can my incident response process even perform that quickly? It’s 72 hours, not 72 business hours.
If you are like many businesses, then you are probably very concerned about the above. There is a light in the tunnel though because there are rudimentary steps that you can take to improve your ability to detect, response and remediate incidents. Catapult can help you with these through our Spyglass subscription service, where part of your subscription investment can include incident response planning, policy and process development, education, as well as assistance to test your incident response plan (with table top exercises). For now, let’s focus on the reporting requirements of GDPR.
Who Must Report?
Although some business leaders may assume that they are not affected, Article 2 and Article 3 of GDPR leaves no doubt that the reporting requirements not only apply to EU companies but also to ANY company ANYWHERE that processes personal data of data subjects of the EU.
What to Report?
GDPR defines a personal data breach as “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This broad definition was purposely designed to emphasize that cause of a data breach is irrelevant: a breach is a breach, whether bad-actors hack the servers, employees make a mistake that leaks personal data, or when a disgruntled employee destroys or steals personal data. Any data loss due unsecured backup processing or storage, or due to a virus or Trojan, is also considered a breach of personal data.
What types of breaches Must be Reported?
The minimum information required for a breach notification comprises such basic data as the nature of the personal data breach, categories and number of data subjects concerned, the identity and contact details of the entity’s Data Protection Officer, the measures proposed or taken by the processor to mitigate the possible adverse effects of the breach, as well as a description of its possible consequences. It also requires the entity (Controller or Processor) to document any breach, its effects, and the remedial actions taken.
What Happens After the Report is Filed?
The obligation to report personal data breaches creates the presumption that reporting a breach to authorities will immediately result in a public disclosure. GDPR only states that the “supervisory authority shall keep a public register of the types of breaches notified”, but not a comprehensive public list of companies that filed a report.
How Should Companies Prepare?
To ensure compliance with the breach reporting requirement, you should create and implement structured processes that ensure compliance, enable fast troubleshooting and root cause analysis, and implement adequate means for control and and reporting of personal data breaches to the public (either DPAs, data subjects, or both):
- Set up a modern incident discovery and reporting function, designed to detect any unintended disclosure of personal (customer) data and a breach notification process that becomes enabled once a breach has been identified,
- Implement independent and periodic reviews of the company’s data protection, data security, and incident response processes,
- Continuously update all data protection, incident response, and security processes to keep them current, and
- Work with, rather than against, the Data Protection Authorities (DPAs, Supervisory Authorities) to establish clear lines of communication to notify and remedy any breaches as swiftly with confidence as possible.
If you’d like to discuss GDPR, or general incident response process improvement in more detail, or to learn more about Spyglass and how we can help you with compliance and security management (as a service), then LET’S TALK <—- this link goes right to scheduling time my calendar.
Until next time…