72 hours before you have to put your hand up
GDPR Data breaches must be reported to the Information Commissioner’s Office (ICO) within three days, requiring effective response plans to be in place before the inevitable happens.
Possibly the most demanding aspect of the GDPR is the requirement to notify the ICO of data breaches within 72 hours of discovery. That’s just three days to find out what has gone wrong, secure the evidence, develop statements for the ICO and the media, and start the damage limitation exercise.
Communicating with the media
For many organisations, the statement to the media is a major challenge and reason why the process is so important. The ability to communicate effectively with the media and data subjects once the notification has been placed is crucial.
Notification has potential for brand damage
“Notification has potential for brand damage, which is one thing you are trying to limit by protecting your sensitive data,” says Mark Taylor, managing consultant at NTT Security. “Organisations have to be much better prepared to make appropriate and effective statements at that point in time.”
Now that data breaches are a fact of life rather than a once-in-a-blue-moon catastrophe, it is imperative to set up robust processes and systems to ensure the 72 hour deadline is achieved, and, conversely, that false alarms do not trigger a press statement that could damage the company’s reputation unnecessarily.
Effective data breach response
An effective data breach response plan will have two main elements, Taylor says: “There are two aspects - the incident response part, which is the internal organisation, and key stakeholders driving the business through a difficult circumstance.”
It is imperative to set up robust processes and systems to ensure the 72 hour deadline is achieved
The incident response team will consist of technical experts from within the company and from outside, including forensic data and network analysts, legal people, human resources and the press and PR team. The executive stakeholders will include the Data Protection Officer (which should be a board-level position), senior IT managers and others.
“The team should be appointed by role rather than name, and ensure executives senior enough to make the necessary decisions are available,” Taylor says. “The challenge, especially for global corporations, is when the callout comes just as executives are away sailing and their sat phone has died.” It is important to remember that the 72 hours is all you have got even if the alarm rings on Friday afternoon just as everyone is going home for the weekend.
When a breach is discovered, the team must hit the ground running.
“The incident response part is inherently required by the incident management team to provide the expertise to trace through the organisation’s processes to gather and protect information that relates to it, to brief the member of the incident management team responsible for reporting to the ICO or the media on what has happened, what information has been lost or exposed, how many records, how it affects the data subjects that is inherently required for notification,” Taylor explains.
It is a complex and difficult task, so it is essential to test the plans with suitable exercises. “We have held dummy runs of incident response procedures and it is amazing how soon many of them fall apart in the first few hours,” he says.
Reporting a breach
One of the most important decisions that has to be made as soon as possible is whether the breach needs to be reported at all, according to Robert Bickmore, principal security consultant at NTT Security.
“It is essential to understand what data you have, who has access to it and what controls are in place to protect it, to enable you to make a judgement on whether you need to notify the relevant Supervisory Authority (in the UK this is the ICO) and potentially the data subjects or if you can deal with it internally and improve the controls as appropriate,” he says.
One of the most important decisions is whether the breach needs to be reported
“The legislation is, by design, quite high level which can lead to uncertainty on things like ‘appropriate’ levels of security. A risk-based approach is needed and will require industry standards, specialist expertise and case law to make clearer,” Bickmore explains.
Luckily, the ICO is taking a pragmatic approach in the absence of judicial decisions for guidance.
“The Information Commissioner, Elizabeth Denham, recently made it clear that the 72 hour notification period only applies in cases where the breach is likely to have a damaging effect on the data subjects’ rights and freedoms, so if a laptop has gone missing but it is completely encrypted so there is no chance data could be recovered, you don’t need to notify. She is not expecting to receive thousands of incident related phone calls,” Bickmore says.
NTT Security is the specialised security company of NTT Group. Our services are delivered via three pillars: Strategic Consulting, Managed Security, and Technical Consulting and we’re here to support clients looking to embed security into digital transformation projects and to mature their business resilience.