[BreachExchange] Companies Have Until March to Comment on EDPB Data Breach Notification Guidelines

[Destry Winant]

https://www.natlawreview.com/article/companies-have-until-march-to-comment-edpb-data-breach-notification-guidelines

Many supervisory authorities across Europe have reported increasing
numbers of data breach notifications since the introduction of GDPR.
While most companies are now familiar with the 72-hour reporting
obligation for controllers to supervisory authorities, whether such
obligation has been triggered continues to present unique and complex
questions in each specific security event. To help aid companies
sorting through these potential legal notification obligations in the
aftermath of a security event, the EDPB recently released draft
guidance, which is open for comment until 2 March 2021.

The guidelines are intended to supplement the October 2017 general
guidance provided by the Article 29 Working Party, the predecessor to
the EDPB. The guidelines walk through 18 examples covering the most
common security event scenarios, including ransomware attacks, data
exfiltration attacks, human errors lost or stolen devices and paper
documents, “mispostal,” and social engineering, such as identity theft
and email exfiltration. For each example scenario, the EDPB identifies
whether notification would be required to the relevant supervisory
authority or data subjects, as well as mitigation measures.

The guidelines also note several recommendations for data breach
management such as implementing plans, procedures and guidelines,
regular employee training, and documenting breaches in each and every
case, irrespective of the risk they pose.

Putting it Into Practice: Notification obligations are very fact
specific and will depend on the circumstances of each unique event.
Organizations are reminded of the importance of data breach
preparedness efforts. This includes activities such as preparing
incident response plans and playbooks, training of those plans,
simulating an event through a tabletop scenario, and reviewing cyber
insurance policies. The EDPB guidelines are open for public comment
until March 2, 2021. Feedback may be submitted here.