“When the press come knocking” -Breach notification under the GDPR

Tim Anderson – Global Portfolio Director, Cyber Threat Detection & Response

Copyri

ght

NCC Group – Cyber Defence Operations

Copyri

ght

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons.”

Breach notification – why?

Copyri

ght

“A personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Breach notification – definitions

Copyri

ght

“So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.” Elizabeth Denham - Information Commissioner

Breach notification – when?

Where a personal data breach resulting in or likely to result in in a risk to people’s rights and freedoms.

Copyri

ght

Data processors must report personal data breaches to data controllers without delay, after becoming aware of it

Data controllers must inform the supervising authority of any breach resulting in or likely to result in “a risk to the rights & freedoms of individuals”

Breach notification – who needs to notify?

Copyri

ght

A breach register must be maintained by the data controllers

Breach notification – document all breaches

Copyri

ght

Without undue delay, where feasible, no later than 72 hours after the breach being discovered

Breach notification – how long do I have?

Copyri

ght

When notifying the supervising authority organisations must include the following information:

1. The nature of the personal data breach including, where possible:

a) the categories & approximate number of individuals concerned

b) the categories & approximate number of personal data records concerned

2. The name & contact details of the data protection officer or other contact point where more information can be obtained

Breach notification – notification process

Copyri

ght

2. A description of the likely consequences of the personal data breach

3. A description of the measures taken, or proposed to be taken, to deal with the personal data breach &, where appropriate, of the measures taken to mitigate any possible adverse effects

Breach notification – notification process

Copyri

ght

Where the breach results in, or may result in, a “high risk to the rights and freedoms of individuals”, those concerned must be notified without undue delay

Breach notification – individual notification process

Copyri

ght

Notification to the individual needs to be in clear and plain language & must include all of the above, except:

1. The nature of the personal data breach including, where possible:

a) the categories & approximate number of individuals concerned

b) the categories & approximate number of personal data records concerned

Breach notification – individual notification process

Copyri

ght

The media is hungry because the public is interested…

…the public is interested because the media are hungry

Breaches are big news

Copyri

ght

Don’t panic…

Prepare…

Plan…

Breach notification – don’t panic

Copyri

ght

Incident management & crisis communications policy

Breach notification – don’t panic

Form a crisis management team

Copyri

ght

• Communicate in a clear and transparent way

• Stating the facts only

• Steer away from the temptation to offer comforting statements that may not be based on facts

• State the investigation is ongoing in line with your breach investigation procedures & suggest that you will offer updates as your investigation continues

Breach notification – communicate with your customers

Copyri

ght

• Produce a landing page with an FAQ on the incident

• Cancel social media marketing campaigns & advertising that may be deemed inappropriate following the breach

• Consider if further support such as dedicated email & call centres may be required in order to engage proactively with your customers & clients

Breach notification – communicate with your customers

Copyri

ght

If the investigation involves law enforcement, take advice from your legal team and consult with police before making a statement!

Breach notification – communicate with your customers

Copyri

ght

Communicate with your customers

Copyri

ght

Consider social media

Copyri

ght

Consider social media

Copyri

ght

Consider social media

Copyri

ght

Consider social media

Copyri

ght

Understand that the media may well pick up on the breach notification. Be ready:

• Draft a suitable statement for the media, simplify technical terminology & ensure it is correct

• Any communication to staff should be similar in content to what has been released to clients & customers, as it may be leaked

• Fully brief the CEO or spokesperson as they may be called to give a statement

Breach notification – the press

Copyri

ght

Breach notification – A good example

Copyri

ght

Breach notification – A good example

Copyri

ght

• Ensure you have the right procedures in place to detect, report and investigate a personal data breach.

• Ensure that incident management policy and procedures are in place

• Follow the process and document the steps you take

€10MOr 2%

Breach notification – next steps & conclusions

Copyri

ght

Failure to carryout breach notification in the correct manner may result in a fine of €10M or 2% of revenue, whichever is greater.

€10MOr 2%

Breach notification – important!

Copyri

ght

• Experts on hand - Incident Response specialised on retainer to deal with the 72 hours

• Stay ahead of threats - Threat Detection Solutions, Compromise Assessments, Threat Hunting, Penetration Testing

• Don’t wait get prepared now and Fire Test your plans

Breach notification – next steps & conclusions

Copyri

ght

Some good resources

Copyri

ght

ICO – Myth Busting:https://iconewsblog.org.uk/

ICO – What to expect & when:http://bit.ly/1WLTFY0

NCC Group Blog:http://bit.ly/2eJu58m

Some good resources

Copyri

ght

“The secret of lifeis honesty & fairdealing. If you canfake that, you'vegot it made.”

Groucho MarxCopyri

ght

Copyri

ght

34

ContactTim AndersonGlobal Portfolio Lead - Cyber Threat Detection & Response

tim.anderson@nccgroup.trust

To request a copy of the slides:response@nccgroup.trust

Stephen BaileyHead of Privacy Practice

Stephen.Bailey@nccgroup.trustCopyri

ght

•Office LocationsEuropeManchester - Head OfficeBasingstokeBelgiumCheltenhamDenmark Edinburgh GermanyGlasgowLeatherheadLeedsLithuaniaLondon LuxembourgMilton KeynesSloughSpainSwedenSwitzerlandThe Netherlands

North AmericaAtlanta, GAAustin, TXCampbell, CAChicago, ILKitchener, ONNew York, NYSan Francisco, CASeattle, WASunnyvale, CAToronto, ON

Asia-PacificSydney

Middle EastDubai

Copyri

ght