A Data Breach Response plan helps a business respond to breaches of information privacy and security. A well designed and implemented Data Breach Response will ensure any financial and reputational damage that results from a breach incident is minimised. If the breach includes personal data, the financial damage could also extend to fines under the GDPR, UK Data Protection Act, or other Privacy law in force.
The PwC Global Economic Crime and Fraud Survey, states that 70% of businesses globally have not implemented a strategy for responding to a data breach. If you are one of the firms that have not implemented a Data Breach Response, read on!
Modern Data Privacy laws place obligations on companies controlling and processing Personal Data. For example, the General Data Protection Regulation (GDPR) (Articles 32-34) requires Data Controllers to notify regulators and, in some cases, affected individuals, within 72 hours of becoming aware of a breach of their EU Personal Data. Data Processors are under a similar obligation to notify affected Data Controllers.
Modern Data Privacy Laws also place obligations of Data Minimisation.
The principle of “data minimisation” means that a data controller is required to limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose.
What Constitutes a Data Breach?
The UK Data Protection Act and the EU GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Thresholds requiring you to report a breach
There are two situations where a Company acting as Data Controller must notify third parties of a Personal Data breach. First, Data Controllers must notify appropriate Supervisory Authorities within 72 hours where the breach presents a “risk to the rights and freedoms of natural persons”. Second, Data Controllers must also notify affected Data Subjects where the breach presents a “high risk to the rights and freedoms of natural persons”.
When a Company acts as a Data Processor, it will have similar notification obligations to its Data Controllers.
Notification periods vary by jurisdiction. Under the GDPR, for example, notifiable breaches should be reported without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
Section II of the Article 29 Working Party Guidelines on personal data breach notification gives more details of when a controller can be considered to have ‘become aware’ of a breach.
What information must a breach notification to the Regulator contain?
Often, the specific requirements are not clearly laid out in the regulations. However, in the UK, when reporting a breach to the ICO, the UK GDPR says you must provide:
- A description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned
- The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects
Training and Testing Employees
Proper and adequate training of staff, including performing Breach Drills, is the first step in the prevention of Data Breaches.
The General Data Protection Regulation requires Data Controllers and Data Processors to provide data protection training to members of staff. These are the topical areas to keep in mind when determining which training to provide and to whom:
- In order for companies acting as a data controller to meet their accountability requirements under the GDPR, they must be able to demonstrate that staff who are involved in the processing of personal data have been made aware of and understand the fundamental data protection principles found in GDPR Article 5
- As a data controller a Company must implement appropriate technical and organisational measures (TOMs) to ensure, and to be able to demonstrate, that its processing of personal data is performed in accordance with the GDPR. Staff training on GDPR compliance should refer to the TOMs in place at your Company
- Where a Company is acting as a data processor, it must train all relevant members of staff to make sure they understand the instructions and limitations that apply when the Company is processing personal data on behalf of a third party
- Companies should organise awareness-raising and training initiatives for staff members regardless of whether a Data Protection Officer (DPO) has been appointed, but where a Company does have a Data Protection Officer, he or she has a statutory duty to monitor compliance with the GDPR, including with respect to awareness-raising and the training of staff who are involved in processing operations
- Companies should also ensure that any appointed DPO has access to the specialised training he or she needs to develop or maintain legally required expertise with data protection laws and practices
Practical Steps to Take
- All employees and staff that handle personal data or, more generally, have access to personal data, should complete basic GDPR training as soon as possible
- More specialised and advanced training should be offered to those staff members who are engaged in specific data processing operations like the processing of “sensitive” or Special Categories of personal data
- Awareness-raising and training of staff should not be a one-off event, but should be offered on a regular basis, at least yearly, to take account of new developments in the Company’s data processing operations and the legal and regulatory landscape
Data Breach Protection
The General Data Protection Regulation (Articles 5 & 32) requires that Companies process Personal Data securely and according to adequate technical and organisational measures (TOMs). The level of security and the nature of the TOMs must be “appropriate to the risk” that the processing poses to “the rights and freedoms of natural persons”.
Companies are also required to ensure that any person acting under its authority, such as an employee, with access to Personal Data does not process the Personal Data except as instructed. This requirement will be important to keep in mind as you decide who within your Company should be trained on the TOMs and data protection more generally.
How do Businesses know they have a Breach Incident?
Typically, a business will learn that they have or are being breached in one of two ways:
- Internal Discovery – The breach is discovered because of an intrusion detection alert, malware alert, antivirus scan or during a periodic review of system and event logs
- External Discovery – A third-party informs you of unusual or fraudulent use or data:
- Your bank could inform you that you’ve been breached based on unusual or fraudulent banking activity
- A customer could complain to you because your website was the last place they used their card before they began seeing fraudulent charges
If you know or suspect you have a data breach, your first objective is to contain it, to prevent further information from being stolen. Once contained, you can then start the process analysis and implementation of additional measures to prevent a reoccurrence.
Data Breach Response Planning
A strong, well-designed incident response process can dramatically reduce the damage caused to an organisation when disaster strikes.
There are seven reasons for you to have an incident response plan:
- Prepares you for the inevitable emergency — Data breaches don’t come with a warning, so it makes sense to be prepared.
- Makes your response repeatable and scalable across the business — Your Breach Team will be under legal timescales to respond and notify the regulator. A plan will drive the assessment, risk analysis and notification process in a repeatable manner.
- Improves coordination — In large firms, internal reporting and external messaging processes are often complex and time consuming. Including coordination and communications protocols in the plan will avoid messaging mistakes.
- Exposes gaps in your Technical and Organisational Measures (TOMS) — In mid-sized companies with limited staff or limited technical experience, creating an incident response plan will expose any obvious gaps in the TOMS allowing for them to be mitigated before an incident occurs.
- Institutionalises knowledge — A well-designed incident response plan will include protocols for ensuring lessons learned are not forgotten over time.
- Evergreen capability — An incident response plan creates clear, repeatable processes that can easily be updated as lessons are learned, or legal requirements change. You Breach Team will follow the plan, step by step, in every incident, improving coordination and effectiveness of response over time.
- Reduces an Organisation’s Liability — An incident response plan with clear documentation reduces an organisation’s liability by allowing you to demonstrate to regulators or supervisory authorities that the breach was handled correctly and within the allowable timescales.
Consideration should be given to operationalising your response plan within a Privacy platform. With the speed of change currently occurring in Data Privacy laws globally and extra-territorial nature of modern data privacy regulations, the cost and overhead of maintaining a paper-based plan soon becomes prohibitive while also increasing the likelihood of introducing unnecessary risk into your business.
To execute an incident response plan, you need an experienced, well drilled, response team. Such a team is often comprised of employees with other full-time roles. Since their participation in the Response Team is only required during an incident, it is important that they are regularly trained and tested.
How The Data Privacy Group can help
The Data Privacy Group is a premium OneTrust partner. Our team of experts are CIPP/E accredited and certified OneTrust Fellows of Privacy Technology.
We are experts in both the configuration of OneTrust’s Incident and Breach module and in leading Breach Teams to assess and manage the response to incidents and breaches. Our approach covers the three aspects of an incident:
- INTAKE & INVESTIGATE – Gather all the key metrics and context needed to understand the impact of an incident.
- ASSESS & NOTIFY – using Athena, OneTrust’s AI engine, auto-generate guidance and respond confidently with notification templates for 300+ jurisdictions.
- IMPROVE – automate Root Cause Analyses after every incident to reduce the chances of the same incident occurring again.
By deploying OneTrust Incident and Breach Management, the DPG helps you operationalise your Incident Response plan and alleviates the need to spend significant sums on external legal counsel. Our approach:
- Improves visibility into incidents:
- Intake incidents immediately through pre-built, configurable incident web forms or integrations to your existing SIEM/DLP, email provider, and ITSM tools.
- Allow business administrators to add incidents and capture key incident metrics up-front.
- Track breach response progress and notification deadlines with easy-to-use centralised dashboards.
- Eases the process of investigation
- Streamline incident response with rule-based automated workflows based on law, location, or severity.
- Gather all the context needed to understand the impact of an incident with a centralised record of the activity history, subtasks, and supporting documentation.
- Link incidents to your Data Map and vendor inventory to pull in key information, including, contractual obligations, data stored, and potential risks.
- Auto-generates guidance through multi-jurisdictional analysis
- React faster with initial breach assessment automation using OneTrust Data Guidance intelligence.
- Respond confidently with built-in breach notification assessment templates from 300+ jurisdictions.
- Leverage a single assessment that gathers all the necessary information for each jurisdictional requirement to inform the appropriate response strategy.
- Simplifies Incident and Breach Notifications
- Save time deciding what to put in applicable global notification reports with built-in templates.
- Streamline notification process with assigned owners, deadlines, and automated reminders.
- Find the right information faster with flexible reporting customisation and easy filtering.
- Mitigates Risks and Increases Compliance Readiness
- Demonstrate compliance, when necessary, with auto-generated, exportable audit trails.
- Automate Root Cause Analyses after every incident to identify down-stream mitigation tactics that reduce the chances of the same incident occurring again.
- Optimise your Incident Response program with KPI tracking and reporting dashboards.
Our on-going management services will ensure your breach response program remains evergreen by adjusting and updating the framework as your Company grows or as the law changes.
If you need help managing the breach, our Brand Data Emergency services can provide experts that have assisted many companies to assess and handle breaches in real time.
We can provide access to OneTrust Data Privacy training courses or, test your Breach Team’s readiness through one of our complex tabletop breach drills.
Whatever your needs, we are here to help.