Among the many changes GDPR will usher in, one of the biggest for many organisations will be mandatory breach reporting. From May 25, all organisations holding personal data about European Union residents must disclose a breach if it is “likely to result in risk to personal data”.
What’s more, organisations must report such breaches within 72 hours of discovering one. Reacting in such a short timeframe calls for a robust response plan. Unfortunately, experience to date suggests such plans tend to be conspicuously absent. The ISO 27001 Information Security Standard can help.
ISO 27001 can enable organisations to map an incident response plan that covers not just IT, but also people and processes. A good plan will cover the following steps:
Who implements the plan?
Incident response often falls solely – and unfairly – on the shoulders of the IT team. “It can’t just be the IT person’s job. It has to involve the whole business: this is a business risk and a business issue,” said Brian Honan. He added that GDPR applies to physical information, not just data on IT systems. Brian was speaking as part of a panel discussion on GDPR at the ISO 27001 Ireland event last week.
He recommended that a security response team should include representatives from information security, operations, HR, legal, PR, and facilities management. HR should be involved because if it’s an internal breach, the organisation may need to discipline a member of staff. Recovering from a breach often creates a fraught, high-pressure environment. HR can also play a role by helping to coach employees and manage their time. “Breaches don’t just happen between the hours of 9 and 5,” Brian said.
Involving a legal team is also important because organisations will probably need to deal with the appropriate data protection authority. “Speak the right language to the right people. You don’t want to open a can of worms by saying wrong thing to the regulator,” Brian said.
Sending the right message
Too often, organisations fall back on stock answers like “a sophisticated breach” when there’s little evidence to support the claim. Having PR expertise on the incident response team helps to ensure the organisation’s public statements are consistent, timely and truthful.
Brian also recommended including a representative from facilities management on the team. That’s particularly useful if a breach involved a break-in where CCTV cameras and physical security could prove vital.
“The key thing is, engage early with the business, find out what is important to them. Find out what you need to have in place. Establish relationships. Know who you need to contact in the regulator’s office or the supervisory office, find out what way you will contact them. And other relevant bodies you may need to contact. And think about what external expertise you may need. It’s important that you have those contact details already,” Brian said.
To make sure the response process is repeatable, Brian recommended documenting all policies and procedures. “Transparency is important… It’s very easy to get caught in heat of moment in a breach, but then afterwards, can you recall what happened?”
Data breach notification also brings suppliers under its umbrella since many organisations now outsource their data hosting to third parties. “If your data is in a data centre or with a hosting provider, do you have an agreement in place so that they will let you know if they have had a breach? That’s a new thing to worry about. You may have to report a breach because one of your suppliers has had a breach,” Brian said.
Alerting mechanisms are vital because they can provide the information a response team needs to react appropriately to a breach. The 72-hour reporting window means that you don’t need detailed forensic analysis to start with. That can happen at a later stage. Teams should identify tools or software they will need both to detect possible breaches and to manage the response process. Brian suggested using examples like last year’s Equifax breach as the scenario for a desktop exercise to practice breach response. “If your vulnerability scanner didn’t work, how would you act? Use it as a learning mechanism,” he said.
Staff training can also strengthen an organisation’s ability to spot potential breaches as well as responding to them. Brian referred to the Verizon Data Breach Investigations Report which found that many breaches come to light not via tools but through people noticing something strange. “The number one detection tool we have is our staff,” he said.
The last reason for implementing a breach response plan is simply reputation management. “It’s not that you’ve had a security breach that will damage your brand, it’s how well you respond,” Brian concluded.