“When the press come knocking” -Breach notification under the GDPR
Tim Anderson – Global Portfolio Director, Cyber Threat Detection & Response
Copyri
ght
NCC Group – Cyber Defence Operations
Copyri
ght
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons.”
Breach notification – why?
Copyri
ght
“A personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Breach notification – definitions
Copyri
ght
“So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.” Elizabeth Denham - Information Commissioner
Breach notification – when?
Where a personal data breach resulting in or likely to result in in a risk to people’s rights and freedoms.
Copyri
ght
Data processors must report personal data breaches to data controllers without delay, after becoming aware of it
Data controllers must inform the supervising authority of any breach resulting in or likely to result in “a risk to the rights & freedoms of individuals”
Breach notification – who needs to notify?
Copyri
ght
A breach register must be maintained by the data controllers
Breach notification – document all breaches
Copyri
ght
Without undue delay, where feasible, no later than 72 hours after the breach being discovered
Breach notification – how long do I have?
Copyri
ght
When notifying the supervising authority organisations must include the following information:
1. The nature of the personal data breach including, where possible:
a) the categories & approximate number of individuals concerned
b) the categories & approximate number of personal data records concerned
2. The name & contact details of the data protection officer or other contact point where more information can be obtained
Breach notification – notification process
Copyri
ght
2. A description of the likely consequences of the personal data breach
3. A description of the measures taken, or proposed to be taken, to deal with the personal data breach &, where appropriate, of the measures taken to mitigate any possible adverse effects
Breach notification – notification process
Copyri
ght
Where the breach results in, or may result in, a “high risk to the rights and freedoms of individuals”, those concerned must be notified without undue delay
Breach notification – individual notification process
Copyri
ght
Notification to the individual needs to be in clear and plain language & must include all of the above, except:
1. The nature of the personal data breach including, where possible:
a) the categories & approximate number of individuals concerned
b) the categories & approximate number of personal data records concerned
Breach notification – individual notification process
Copyri
ght
The media is hungry because the public is interested…
…the public is interested because the media are hungry
Breaches are big news
Copyri
ght
Don’t panic…
Prepare…
Plan…
Breach notification – don’t panic
Copyri
ght
Incident management & crisis communications policy
Breach notification – don’t panic
Form a crisis management team
Copyri
ght
• Communicate in a clear and transparent way
• Stating the facts only
• Steer away from the temptation to offer comforting statements that may not be based on facts
• State the investigation is ongoing in line with your breach investigation procedures & suggest that you will offer updates as your investigation continues
Breach notification – communicate with your customers
Copyri
ght
• Produce a landing page with an FAQ on the incident
• Cancel social media marketing campaigns & advertising that may be deemed inappropriate following the breach
• Consider if further support such as dedicated email & call centres may be required in order to engage proactively with your customers & clients
Breach notification – communicate with your customers
Copyri
ght
If the investigation involves law enforcement, take advice from your legal team and consult with police before making a statement!
Breach notification – communicate with your customers
Copyri
ght
Communicate with your customers
Copyri
ght
Consider social media
Copyri
ght
Consider social media
Copyri
ght
Consider social media
Copyri
ght
Consider social media
Copyri
ght
Understand that the media may well pick up on the breach notification. Be ready:
• Draft a suitable statement for the media, simplify technical terminology & ensure it is correct
• Any communication to staff should be similar in content to what has been released to clients & customers, as it may be leaked
• Fully brief the CEO or spokesperson as they may be called to give a statement
Breach notification – the press
Copyri
ght
Breach notification – A good example
Copyri
ght
Breach notification – A good example
Copyri
ght
• Ensure you have the right procedures in place to detect, report and investigate a personal data breach.
• Ensure that incident management policy and procedures are in place
• Follow the process and document the steps you take
€10MOr 2%
Breach notification – next steps & conclusions
Copyri
ght
Failure to carryout breach notification in the correct manner may result in a fine of €10M or 2% of revenue, whichever is greater.
€10MOr 2%
Breach notification – important!
Copyri
ght
• Experts on hand - Incident Response specialised on retainer to deal with the 72 hours
• Stay ahead of threats - Threat Detection Solutions, Compromise Assessments, Threat Hunting, Penetration Testing
• Don’t wait get prepared now and Fire Test your plans
Breach notification – next steps & conclusions
Copyri
ght
Some good resources
Copyri
ght
ICO – Myth Busting:https://iconewsblog.org.uk/
ICO – What to expect & when:http://bit.ly/1WLTFY0
NCC Group Blog:http://bit.ly/2eJu58m
Some good resources
Copyri
ght
“The secret of lifeis honesty & fairdealing. If you canfake that, you'vegot it made.”
Groucho MarxCopyri
ght
Copyri
ght
34
ContactTim AndersonGlobal Portfolio Lead - Cyber Threat Detection & Response
To request a copy of the slides:[email protected]
Stephen BaileyHead of Privacy Practice
ght
•Office LocationsEuropeManchester - Head OfficeBasingstokeBelgiumCheltenhamDenmark Edinburgh GermanyGlasgowLeatherheadLeedsLithuaniaLondon LuxembourgMilton KeynesSloughSpainSwedenSwitzerlandThe Netherlands
North AmericaAtlanta, GAAustin, TXCampbell, CAChicago, ILKitchener, ONNew York, NYSan Francisco, CASeattle, WASunnyvale, CAToronto, ON
Asia-PacificSydney
Middle EastDubai
Copyri
ght