[BreachExchange] Data Breach Digest: Planning for a data breach in a post-GDPR world

[Audrey McNeil]

http://www.securityinfowatch.com/article/12321456/data-
breach-digest-planning-for-a-data-breach-in-a-post-gdpr-world

Since the European Union General Data Protection Regulation (GDPR) was
announced in April 2016, with full adoption taking place on May 25, 2018,
security and privacy experts have not stopped analyzing what the new
regulations mean for companies across the globe. And while numerous
industry leaders have outlined the changes coming down the pipeline –
including a new definition of “Personal Data Breach” and a 72-hour
notification requirement – there is still a sense of unease among security
professionals, particularly because the GDPR won’t just impact European
companies; U.S.-based companies with European customer data will be
impacted as well.

To help companies better understand the changes, I have outlined a
hypothetical breach response and highlighted some of the key areas that I
think companies may overlook as they plan to address data breaches
post-GDPR. Proactively keeping a pulse on the changes will ensure there are
no disruptions to a company’s international operations.

The Situation

Imagine that fictional “Company X,” a U.S.-headquartered, multinational
company, discovered a data breach exposing nearly a million records
containing personally identifiable information (PII) for customers in the
United States and Europe.

Prior to the GDPR going into effect, Company X’s response to the data
breach would primarily focus on notifying authorities and consumers in the
U.S. in accordance with applicable regulations and individual state laws.

However, when the GDPR goes into effect, Company X will have several other
factors to take into consideration that may impact their response plans,
including: standing up a multinational response team, engaging stakeholders
on a global scale, and coordinating international consumer notification and
support.

Coordinating a Multinational Response

Moving into 2018, a critical part of Company X’s data breach response
planning will be identifying and coordinating a multinational response team
that can be activated in a moment’s notice. This team of vendors – lawyers,
communications specialists, a data breach resolution provider and forensic
experts – can help Company X understand the local laws and customs, and can
serve as “boots-on-the-ground” to support in the operationalization of
market-specific activations.

To ensure a smooth response, Company X should identify these partners prior
to a breach occurring – ideally during the data breach response planning
phase. Depending on the extent of the E.U. resident data they are
collecting, they may choose to set up a support team in each country of
operation or even a centralized response hub.

Stakeholder Engagement

The new 72-hour notification law may be one of the biggest hurdles Company
X encounters. It currently takes the average U.S. company 40 days to notify
consumers after discovering a breach. Having a multinational response team
coordinated in advance can be the difference between compliance with the
law and sizable fines.

Company X’s local legal partners should be able to provide guidance on
engaging with the appropriate protection authorities (DPA) and exactly what
information needs to be shared within the limited timeframe.

Reaching out to regulators early can also reduce scrutiny and can help
streamline the process. If possible, Company X should engage with
stakeholders throughout the year to build relationships and get an
understanding of the threats they are seeing.

Consumer Notification and Support

One of the biggest challenges Company X may face during a post-GDPR breach
is notifying consumers and setting-up call centers in multiple languages.
Although there is not a current time limitation to notify consumers, once a
DPA has been notified, the breach will essentially become public. And
consider this: in many of these markets, people are not used to receiving
breach notifications so it’s quite possible they will have more questions
and concerns than occur with a standard breach in the U.S.

As laid out by the GDPR, consumer notification must be done “without undue
delay” therefore, Company X will need to work with their data breach
resolution and communications partners in all effected countries to ensure
people receive notifications in the correct language, and are directed to a
call center that can answer their questions.

Company X should also determine whether they are going to offer identity
protection services to affected consumers. While not mandated by GDPR,
these services can help quell the fears of those impacted by the breach.
This decision will need to be made quickly, as information on the services
should be included in the initial breach notification letter.

As seen with Company X’s hypothetical scenario, preparation will be the key
to a successful data breach response in a post-GDPR environment. It is also
highly recommended that companies look beyond what they have previously
planned for and anticipate what hurdles might come their way in the future.
This will mean developing and practicing a response plan with multiple
scenarios to ensure the company is prepared in the event of a multinational
breach.

Given that the GDRP essentially creates a worldwide notification protocol,
it will be important for U.S. companies – such as Company X – to prepare in
advance for the new regulations and think beyond the mandated regulations.
Responding quickly and effectively, assisting affected consumers and
protecting a brand’s reputation are all equally important for any company
facing the reality of a data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170331/951c5290/attachment.html>