72 Hours: How a Data Breach Response Plan Can Help You Meet the GDPR Notification Deadline
For companies that don’t have a data breach response plan yet, the task of achieving General Data Protection Regulation (GDPR) compliance might feel overwhelming. Article 33 of the regulation, which went into effect on May 25, 2018, sets a strict timeline for breach disclosure. It mandates that “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.”
Companies have 72 hours — and the clock is ticking.
What does an organization need to do to report a data breach within this 72-hour window? Overwhelmed or not, enterprises must adapt to the reality of this tight deadline and have a plan in place to meet it in the event of data compromise.
Start the Timer: Your Data Breach Response Plan
According to GDPR, a data breach report should include a description of the nature of the incident, the number of records potentially compromised, the likely consequences of the breach and the organization’s plans for remediation.
Does this sound like a tall order? It’s worth noting that there’s some flexibility in the reporting requirement. Article 33 states that if a company misses the 72-hour deadline, it must include a valid reason for the delay when it does report the breach.
Of course, this isn’t a license to rest on your laurels.
“The key thing that the regulatory authorities will look for is transparency and accountability and that you can demonstrate that you have started your journey,” said Brian Honan, CEO of BH Consulting, in a May 2018 interview with Information Security Media Group.
Against the Clock: Strike a Balance Between Productivity and Data Security
Companies can no longer defend themselves against cyberthreats by relying solely on antivirus software and firewall protections — especially when it comes to securing customer data. This reality is why it’s critical to understand the data your organization holds and have a policy for managing it throughout its life cycle. Holding onto assets that no longer have value only puts companies at risk.
Companies can better secure their data by implementing breach detection technologies that identify anomalous patterns. These tools provide data visibility, including a timeline of the attack. Some tools also provide artificial intelligence (AI)-powered monitoring capabilities and insight into storage environments from the cloud.
Successful breach prevention requires a proper balance between enabling productivity and protecting assets. This is why it’s crucial to adopt a proactive security plan capable of adapting to today’s evolving threat landscape.
Time Flies: Monitor Users to Understand Insider Threats
Earlier this year, a healthcare savings institution suffered a data breach after an employee’s email account was compromised, according to Infosecurity Magazine. Two days after an unauthorized user accessed the account, the malicious activity was detected, the account was destroyed and a forensics firm launched an investigation. That’s almost record-breaking dwell time — and an indication that the company proactively monitors users to identify potential insider threats.
“Often, attacks like these target privileged users with access to sensitive or valuable systems or data,” said Sam Elliott, director of security product management at remote support company Bomgar. “While companies are aware of this, providing security around these types of users without limiting their ability to do their jobs effectively is difficult.”
One way to address the threat of malicious insiders is to clearly define privileged users and install controls that allow employees to only access what they need to perform their jobs. By monitoring user behavior, security teams can establish a pattern of regular activity and quickly raise red flags when anomalies occur.
Insider threats are often not malicious, but attackers frequently aim to compromise user credentials through social engineering tactics. The ability to recognize changes in user behaviors allows analysts to detect incidents and respond more quickly — reducing dwell time and minimizing the impact of a breach.
Beat the Clock: Develop and Implement an Incident Response Plan
Many companies will struggle to report incidents within the mandated 72-hour window. IBM recommends tapping the expertise of a computer security incident response team (CSIRT) to address challenges related to post-breach response and resilience. Also, security teams must establish and follow a comprehensive incident response plan designed to help the organization meet compliance in the aftermath of a breach.
The very process of developing an incident response plan will reveal weaknesses in existing security strategies. Once established, the plan should regularly be tested. This tactic will enable organizations to strengthen business continuity and disaster recovery operations to minimize the impact of a breach and the disruption that typically follows. More importantly, it will help them stay on the right side of GDPR compliance today and in the future.