Tackling GDPR Challenge #3: The 72-Hour Notification Requirement
The fourth installment of our Top 5 GDPR Challenges series offers tips for complying with the GDPR’s strict data breach notification requirements.
Welcome to the fourth installment of our series on the top 5 GDPR challenges. This post addresses the third challenge in our list: the newly imposed 72-hour notification rule. While the GDPR doesn’t take effect until May of next year, some industries – such as the New York financial services industry – already have similar cybersecurity requirements that include a 72-hour breach notification clause. It seems that this 72-hour window is becoming the new standard for breach notification requirements across many regulations; businesses should prepare for this, even if only internally for now, in the event it becomes more commonly adopted.
The GDPR, rather succinctly, states:
The high-level challenge here is twofold. First is the fact that material breaches require this disclosure. While the previous Data Protection Directive was relatively weak on the notion of any sort of notification, the GDPR tightens that up substantially. Second, GDPR also adds the element of a time bind by requiring that notifications are made within a 72 hour window upon discovery of a qualifying breach.
Taking this requirement deeper, organizations face 5 key challenges to ensure they stay within GDPR data breach notification bounds:
- Quick turnaround: The time binding that previous regulations lacked is the most significant challenge business will face, as 72 hours is not a tremendous amount of time to perform what amounts to an entire crisis management response. In a smaller business, the key stakeholders may all be in the same building, but in a larger business there may be resources throughout the globe, all on different time zones. This logistical hurdle can burn 4, 6, maybe even 8 hours of that 72-hour clock. Given the public nature of the response, review cycles on any communication take time too. What is the turnaround time for a standard press release in your business?
- Unknown scope: Now that you know you have less than 3 days from discovery of the breach to notify the proper authorities, further complicating the process is the likelihood that you won’t have the full story. The scope of a breach increases over time; organizations learn more about incidents as investigations widen, but with only 72 hours, the time for this incident discovery is limited.
- Uncertainties of containment: Without knowing the full scope, it stands to reason that the extent of containment is also an unknown. It could be possible that attack window is still open and data is still escaping the business.
- Uncertainties of mitigation: Until you know the full details of the incident, one cannot say that the threat has been eliminated. It is possible that the attacker, whether internal or external, has multiple methods to gain access and extract data, and could be leveraging these alternate channels.
- Resiliency and future prevention: These challenges also mean the infosec team could be guessing at best to make any procedural or technical changes to address the breach and prevent future, similar incidents. While some immediate and obvious changes may be required, the full solution cannot be formulated without more data.
If anything, a benefit of this section of the GDPR is that businesses are now on a level playing field for notifications and organizations have less ability to hide breaches from the public. Let’s now move on to how businesses can best prepare for this notification requirement.
As with many of the GDPR provisions, the people element is a critical first step. To have a well thought out response in 72 hours you need to have both technical and non-technical people on the team.
The technical team members can include the incident response manager, security analysts, threat researchers, and any others who can dig into what happened, how, what was impacted, who was responsible, and what data leaked. On the non-technical side, you may require members of HR, compliance, public affairs/PR, or legal to coordinate what gets communicated and how. A few titles can live on either side, depending on the company, including the CIO, CSO, CISO, and even CEO or other executives.
Moving on to process, here is the plan – and by that I mean an incident response (IR) plan. The incident response plan should be documented in advance and include, from a high level, the following:
- Detection & Reporting
- Triage & Analysis
- Containment & Neutralization
- Post-Incident Activity
An IR plan should also be tested and updated on a regular basis to identify gaps and to address shifts in the business, market, etc.
The next two process items shown above, data minimization and data lifecycle management, may not address the 72-hour rule in the moment, but can help reduce the likelihood and severity of an incident such that either the breach doesn’t happen, is deemed “immaterial” and not subject to the notification, or the scope is reduced from what it would have been otherwise.
Finally, technology. What are the tools needed to streamline the notification process?
- Detection – There are many options here: intrusion prevention/detection logs, AV logs, FW logs, and DLP logs each provide resources to aide in detection.
- Containment – Quarantine suspicious endpoints and trace incidents from introduction to detection to understand their scope.
- Neutralization – Sometimes a full rebuild of a machine is needed to fully eradicate a threat, but the tools mentioned above can also help isolate where mitigative efforts should be focused. Our IR team understands that attackers have a breadth of tools, tactics, and procedures to get in and hide.
- Forensics – You need a way to trace the attacker’s path and understand how they got in, where they got in, where they went, and what they touched. Forensics can also be used for internal data risks. Investigative modules track a users’ detailed actions and can help provide the story of how an insider, too, may have been part of a GDPR violation.
The notification requirement puts a tremendous burden upon organizations, forcing them to provide details when the answers may not yet be known. The better prepared a business is, with the right team in place, the right processes established, and a well-stocked security toolkit, the easier the notification process will be, not that it will not require a coordinated cross-functional effort.
To learn more about the other top GDPR challenges and the steps required to address them ahead of the May 2018 GDPR deadline, watch our webinar on demand.
Read more in our Top GDPR Challenges series
- The Top 5 GDPR Challenges: Accelerating your Path to Compliance
- Tackling GDPR Challenge #1: EU Residents are The New Data Owner
- Tackling GDPR Challenge #2: Treat Others’ Data as You Would Your Own
- Tackling GDPR Challenge #3: The 72-Hour Notification Requirement
- Tackling GDPR Challenge #4: Privacy by Design and Default
- Tackling GDPR Challenge #5: The Data Protection Officer – Is There an Officer, Problem?
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business