Darron Gibbard of Qualys explores how GDPR is placing a spotlight on the importance of effective data breach reporting.
GDPR is nearly here. For all companies that have customers in Europe, putting new data privacy and security rules in place has been on the agenda for the last year. However, there are still some areas where there is a lack of clarity in the rules themselves. One of these areas is data breach reporting.
What are your obligations?
The General Data Protection Regulation provides a set of rules around data protection that covers all citizens living in countries within the 27 states in the European Union. However, these rules have to be put into law within each state. One challenge facing organisations today is the flexibility on how each country can interpret GDPR’s data breach notification requirements.
Under GDPR, any company that suffers a data breach will have to notify those affected by the theft of their data. However, the time period for notification varies between countries. On one hand, countries like the UK allow 72 hours between discovery of a breach and notification being sent to those affected and to the Information Commissioner’s Office. On the other, the Netherlands has put immediate data breach notification into place. There are many variations in between.
There are benefits to these decisions: for example, enforcing immediate notification can help data protection bodies in those countries of a problem as soon as possible, and help individuals by making them aware that their data may have been taken and they can then take steps to protect themselves. It can also reinforce how serious it is to protect against any potential data breach beforehand.
However, immediate notification does make it difficult for security teams to manage the breach response process when one does take place. Allowing a short period of time between discovery of the breach and public announcement should let the organisation discover the issue that led to the data breach and understand what really took place. This discovery phase should cover what information was taken or accessed without permission, the potential impact and how best to implement measures that will prevent a similar occurrence taking place again in the future. This communication can then be managed out to the business and to the public.
For IT operations teams that have to run internal security investigations, ensuring everyone is up to date within the business can be difficult. For organisations in countries with rules on immediate notification, collaboration with communications and public relations teams on informing the wider public will be another management task to juggle during a period when time is precious.
Security and communications
If you are responsible for running IT operations for an organisation that covers multiple countries within the EU, you will need to understand the rules for each EU member state where you have customers and how they are different. Based on this understanding, you can then ensure that your operational procedures are very clearly defined to meet the needs of each country.
By putting together a process guide that covers each country, you can see where there are similarities and where one set of policies can be applied; equally, you can spot where there are country-specific rules that have to be applied. Adopting a ‘lowest common denominator’ approach – where you work to the lowest amount of time rather than the most – can help bridge some of those gaps where they exist.
Once a data breach is discovered, there are several processes that will have to run in parallel. The first is the IT investigation to understand what the cause of the breach was, how much data is potentially affected, and how long the breach existed for. This may involve deep analysis of machine logs, network activity and software installations.
The second involves the legal notification and engagement with the relevant information commissioner that is the governing body for data privacy and security in the countries affected. Your legal team should run this process on your behalf. Most information commissioners have made it easy to report and manage this process – for example, in the UK, there is a breach notification template provided by the ICO that takes around fifteen minutes to complete in total.
Managing data breaches involves a combination of best practices around communication, collaboration and security.
The third is to plan ahead on how to communicate around a breach. Whether it is immediate or after 72 hours, your organisation will have to announce the breach publically and contact those customers whose data may have been affected. Having a concise, accurate and timely overview of the data breach as it stands can help prevent panic or poor customer responses. Moreover, it is important for all operations teams involved in this communication process to practice it regularly. Testing it at regular intervals should ensure that all the work in advance remains clear and easy to implement when carried out in the real world.
Forewarned is forearmed
Obviously, the best approach to data privacy is to focus on preventing breaches in the first place. This involves getting the basics right around security and data, from putting strong encryption and anonymisation processes in place through to improving security management processes. This can ensure that the risks are minimised.
Simple elements like timely patching can make a massive difference to protecting your organisation. One of the biggest issues in 2017 was WannaCry – however, patches from Microsoft were available more than a month before the vulnerability was attacked. Putting a strong patch management process in place can reduce the potential for vulnerabilities to be exploited, while more advanced threat intelligence services can understand and limit attack vectors.
Managing data breaches involves a combination of best practices around communication, collaboration and security. GDPR has provided a spotlight for security and data privacy across Europe, but now we have to ensure that this is implemented properly.