Let’s set the stage. It’s 5 pm at the end of a workday; you’re ready to clock off when all of a sudden you get a ping on your phone advising you of a potential security event… what next?
The first thing: do not panic. Ascertain what the event was about, and if there is evidence of a breach, act.
The GDPR data breach reporting timeline gives your organization 72 hours to report a data breach to the relevant supervisory authority.
This article will take you through the data breach reporting timeline, so your organization can be prepared when a disaster strikes.
What Is A Data Breach?
Data breaches occur when your organization’s information system is compromised; data is stolen or compromised. “Breach” in this sense is when attackers or bad actors exploit weaknesses, which are also known as vulnerabilities, of the information system.
The more common types of vulnerabilities that hackers will exploit are:
- Weak passwords
- Outdated systems
- Staff and personnel with low-security awareness
- Third-party software with weak security fundamentals
There are hundreds of ways an attacker can exploit an organization’s information system. Threat landscape analysis and vulnerability management are a great way to keep on top of industry-specific threats and detect and patch vulnerabilities before malicious actors discover them.
This article explains what to do when your organization finds itself in the thick of a data breach.
Data Breach Response Timeline
Article 33 of the GDPR outlines the legal requirements of breach notification. The full text can be found here.
This section will break down the article’s fundamental principles and how to proceed after a breach has been discovered.
The 72 Hour Rule
In article 33 of the GDPR, regulators have decided that data controllers and processors have a 72-hour window to report a data breach to the relevant authorities.
Note that the 72-hour window starts on discovering the breach and not when the breach occurred.
In some cases, your organization’s systems are breached by crafty hackers who often plan attacks months in advance. It means they will have already breached your information systems and are just waiting for an opportune moment to strike.
You will likely not notice until it is too late, and by then, they have gotten away with all your sensitive data. Your 72-hour window begins when you realize what has occurred.
Regulators are flexible with the 72-hour rule, so this is not a do-or-die scenario. But in the cases where the notification cannot be made within 72-hours article 33 of the GDPR states:
“Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
However, if you do not have a good reason, you will be made liable for non-compliance. You could face hefty fines, so ensure that you take all necessary steps during that 72-hour time frame to notify the authorities and develop a containment strategy.
What To Do Within 72 Hours
When you have discovered a breach, it is time to act fast. You won’t have a lot of time to get an incident response plan ready during a breach, so ensure you have one developed as part of your overall security strategy.
Check out this article on our blog on incident response planning. Essentially, within 72 hours, you will need to enact the response plan. But some GDPR specific actions will also need to be deployed.
In the coming sections, we will discuss some of those actions in greater detail.
Understand The Nature And Extent Of The Breach
The first step in the response timeline is to understand the nature and extent of the breach, starting with an analysis of all affected systems. It helps to have a data flow map. It will give you a visual aid and make life much easier when looking for data leaks.
Once you analyze the map and correlate it with the missing or stolen data, you will understand the severity of the breach.
The severity level will help you assess whether or not you will need to notify the relevant authorities. If attackers did not steal any personal data, or your organization did not lose any personal data, then a notification will not be required.
However, you must still take the necessary steps to stop the breach because a breach is still a breach. Your information system is compromised, and inaction could mean that the attacker gets deeper into the system and causes severe damage or even steals sensitive data.
Within the article, and as part of understanding the extent, you will need to provide the following to the supervisory authority:
- Describe the likely consequences of the data breach
- The categories of data that were breached, including any special categories
- The number of data subjects affected
Provide Measures That Will Be Taken To Mitigate Fallout
Once you understand the extent of the breach, you will need to develop a strategy of containment.
The containment strategy, extrapolated from the incident response plan, covers your organization’s preventative measures.
Somethings you will want to mention are:
- How will you contain the breach?
- What systems were affected?
- How will you isolate them?
- What eradication methods will you employ?
- What restorative measures will be employed to get the system up and running again?
These are the type of measures you will need to think about when contacting the supervisory authority.
Monitor & Log Access and Activity
Once a breach has occurred, you will need to watch your information system like a hawk. Keep a close eye on any unusual events. Implementing a Security Incident and Events Management (SIEM) solution can be a great benefit here.
Keep in mind that the SIEM must be calibrated to understand the information system’s inner workings. Meaning it is great to have one to help you detect a breach, not so good when you are in the midst of a breach.
However, you will still need to log all activity on the system. The IT department should have some form of tracking user access. This tracking will be critical. It can help detect inactive user accounts that suddenly become active (a good sign that an attacker has usurped them).
Other things that can indicate unauthorized access are:
- Duplicate accounts
- Accounts that have logged in during suspicious hours
- Accounts that do not correlate to any “real” user (i.e., a member of the organization)
- Unauthorized external devices (IoT devices or mobile devices)
Any activity you deem to be suspicious should be logged and mentioned in the forensic report, which we will discuss next.
Provide the Forensic Report
The final thing you must do within the 72 hours timeframe is to compile a forensic report. You will have to provide the forensics report to the supervisory authority as part of the notification process.
The report will aggregate all the previous information into a document used as evidence of actions taken to mitigate the breach’s effects. The kind of things you will want to include are:
- Source of the breach
- Mitigation actions
- The remedial process
- Business continuity plan
- Restoration measures
- Lessons Learned
The closer you can work with the supervisory authority, the better chance you will avoid penalties. Remember that data breaches do happen; it’s not a question of stopping them entirely; it’s a question of how you handle the crisis.
Who Should I Notify?
The next step in the notification process, which will also have to be part of the 72-hour time frame, is notifying all interested parties.
In this section, we will address who those parties are and the proper way to notify them.
The first entity you must notify is the supervisory authority, mentioned throughout this article and for a good reason. They will be your first and continuous point of contact throughout the entire breach process.
You are, after all, the victim of a crime, but it is a sensitive matter, literally. Even though hackers have committed the crime by breaching your system, you can still be liable if the incident procedures are mishandled and not executed correctly, according to the requirements of the GDPR.
The Equifax breach in 2017 was an excellent example of this. The breach was not the event that landed them in troubled waters; it was the way that Equifax handled it. Don’t let penalty fears stop your organization from doing the right thing; trying to brush it under the rug will do more damage to your reputation and your bottom line.
To conclude this subsection, don’t leave it too late. Notify the supervisory authority as soon as possible; it is your legal requirement.
Data Protection Officer (DPO)
If you have an in-house DPO or a DPOaas (as a service), you have a legal requirement to involve them in the breach notification process. Fundamentally, the Data protection officer is your go-to person for anything data protection-related.
And when things go wrong, they will be your Virgil guiding you through the data inferno.
However, there is nothing divine or comedic here; when disaster strikes you will need to contact the DPO as soon as the organization becomes aware of the breach.
You should be using your DPO as a liaison between you and the supervisory authority. Suppose you do not have a DPO because you are not legally obligated to hire a DPO; in that case, you will need to report to the supervisory authority yourself in the appropriate manner; discussed in a later section.
You will need to notify the data controller as soon as the breach is detected. If you are a data processor (which would be the case for most businesses), you will need to keep your data controller in the loop.
The incident network will then comprise:
- The supervisory authority
- The data controller
- The DPO
This is your action team. Notify the whole team immediately the breach is noticed. In the case of the supervisory authority, you will have up to 72hours). But for the DPO and data controller, the sooner they are onboard, the faster you can contain the threat.
The final entity to notify are the data subjects themselves. You will not have any legal obligation to inform them within the 72-hour timeframe, but some may argue that you have a moral obligation to notify them as soon as possible.
Immediately notify the data subjects directly affected by the breach advising them to take protective actions on an individual level (like changing passwords, etc.).
How Should I Notify?
The GDPR does not outline a specific method to notify the supervisory authority, e.g., via email or text.
However, the regulation does state which critical details it requires in the notification to the supervisory body, previously discussed throughout the article.
In your message to the supervisory authority, you must state:
- What kind, i.e., the categories of data that were stolen or lost
- The likely hood of the breach to cause severe damages to the natural person’s rights and freedom.
These are the two most vital pieces of information that you will need to communicate in your initial message to the supervisory authority.
The rest is more flexible. Keep an open communication channel with the authority so that you can feed them information as it comes.
Communication must remain open between all parties involved. Keeping stakeholders in the dark increases the risk to the data subject and exposes your information system to more significant harm.
A breach can happen to the best of us; even if we take the best security measures available, we can never fully mitigate the threat of a violation.
But in the moments where a breach does occur, we must remain calm and stick to the correct course of action.
The GDPR breach notification timeline is flexible to organizations that remain open and honest with the supervisory authorities.
Keep a level head and remember that your organization and your information system are victims of a crime.
But it is always best to remain prepared. Ensure your organization has the best security on the market. Get in contact with RSI security today, and let’s work together to get you GDPR compliant.