[BreachExchange] If Your Business Experienced a Data Breach, Is It Prepared?

[Destry Winant]

https://www.business2community.com/cybersecurity/if-your-business-experienced-a-data-breach-is-it-prepared-02213381

One of the core principles of the GDPR is that businesses must be
prepped and ready to execute the requisite notifications in the event
of a breach of personal data.

Firstly, the relevant bodies must be notified within 72 hours of
discovering the breach. This requires that your Data Protection
Officer (DPO) or person responsible for data protection, knows who to
notify and how to do it.

Remember, that while the GDPR applies across the EU, there are data
privacy bodies in each member state and you need to know who to notify
and how. It is best to have this information on hand as part of your
incident management plan, than to be scrambling for contact details
when the pressure is on.

In the event of an incident involving customer data, the business must
be able to notify all affected parties in a short time period, with
the appropriate information. This could mean sending a message to each
of your customers.

Email is the best notification channel for large volumes and detailed content

Email is a highly efficient channel through which to execute your
notification plan, especially if you are notifying thousands of
individuals. Email is also best when the information is detailed and
too lengthy to include in a text message.

If you don’t have customer email addresses on record, you need to run
a data gathering campaign, explaining why you are asking for email
addresses and that this information will only be used for the purpose
of incident notification. There will be no time to do this during an
incident management process.

Develop a template that meets good practice guidelines for email and
is tested across common devices. This reduces the time required to
complete the campaign set up. You must be able to insert the critical
information into the template quickly.

Make sure the email platform you use can provide reports of time sent,
successful/ unsuccessful delivery, open rates – to prove that you
executed the notification plan appropriately.

Creating an incident / breach notification plan

To get this right, it’s imperative to have a notification plan
prepared that is agreed between all parties – marketing, IT,
compliance and legal. Your notification plan should include the
following:

1. A schedule of events – have a time plan that details each step of
the notification process, with the aim of getting the notifications
out within the required time. This schedule must involve any third
party processors that you will need to help execute your plan.
2. An up-to-date list of participants – make sure it’s quite clear as
to who is doing what. For example, consider who is responsible for
sending the notification – does it sit with marketing or compliance?
And who manages the plan?
3. A set of email templates – you need to develop a set of incident
notification templates and have them immediately accessible, in order
to insert the critical information. These templates must be pre-tested
across devices.
Ability to select/segment recipients – you will need to compile and
possibly segment your customer list. You must have access to email
addresses and first names to personalize (who wants a crisis message
that says “Dear valued customer”?)
4. Budget – have a pre-approved budget assigned, so you can expedite
your plan – you don’t want to go through budget requests and approvals
when the clock is ticking. If a third party is involved in your
notification plan, ensure that you have the budget to cover their
fees.
5. Ability to send millions of messages and quickly – you cannot go
from sending zero emails on a platform to sending millions. Your
incident notification needs to be sent via a server that distributes
high volumes consistently, so that a large distribution will not look
like spam and result in deliverability issues.
6. Appropriate technical setup – The email platform must be correctly
configured to deliver on your behalf – the correct SPF and DKIM
settings, etc.
7. Reporting – getting the right information back is crucial to show
evidence of your notification process. The reports you receive need to
show that the messages were sent within the time-frame, which were
delivered and that you made every effort to get a message to the
affected party – including repeat attempts to deliver to addresses
that failed the first time.

Don’t leave your notification process to chance – rather have it well
mapped out, with time frames and elements, such as templates and
budget, on standby.