GDPR, the 72-hour breach notification and what you need to know
The time of the EU GDPR is fast approaching with the deadline for readiness a little over a year away on 25th March 2018. And of course along with that deadline comes the much talked about 72-Hour Breach Notification Rule. The long and short of that rule? Once a breach has been detected, organizations have 72 hours in which to carry out an investigation, and to then let the regulator know what’s happened, whether PII has been affected, and what the containment plan is. It’s a big ask, right?
What’s more, GDPR also requires that much information also be provided about the breach as well. With the average time to actually detect a breach coming in around 200 days, you will need fast access to much historical data. If you are going to provide a thorough report of the breach that complies with the rule of the GDPR and avoid some heavy fines, you’ll need some serious tech. That’s where ZoneFox comes in.
What is required of the EU GDPR when it comes to breaches?
The EU GDPR requires that you disclose any personal data breaches to your supervisory authority (SA) within 72 hours of detection. It is not so much a matter of simply giving the SA a heads up and going on your way, though. When it comes to breach reporting, you need to provide the nature of the personal data breach as follows:
● Categories and approximate number of individuals concerned – who are these users, what role do they play in your organization (customers, business partners, etc.)?
● Categories and approximate number of personal data records concerned – what type of data was stolen (ie: customer credit card info), and how much?
● The name and contact details of the data protection officer – does your organization have a data protection officer? If not, you need to designate another point of contact that can provide more information.
● A description of the likely consequences of the personal data breach – What could come of this breach? Identity theft and further account compromise are examples here.
● Mitigation or remediation efforts – Describe what has been done, or what will be done to mitigate the personal data breach. If necessary, what will you do to reduce the potential impacts of this breach?
Luckily, this level of detail is not required for every breach – only personal data breaches that could potentially violate the rights and freedoms of your users – but gathering that much information within 72 hours can be pretty daunting. Complete visibility of data and its related interactions will be paramount when attempting to accurately report a personal data breach to the EU GDPR standard. Luckily, we’re here to help.
How can ZoneFox help with timely breach notification?
Here is a summary of the key capabilities of ZoneFox, in relation to reporting breaches within 72 hours for the GDPR:
● Find out fast: Rules engine and Augmented Intelligence (AI) machine learning provide timely alerts
● Prepare your breach notification: Complete forensic record of all data access stretching back a year (or more, as required) helps understand where the breach originated
● Complete a report to the relevant supervisory authority (ICO in the UK): ZoneFox Cases and Standard Reports showing exact details of data access (including dates and times), method of access, frequency of access, destination of data (cloud, removable device, etc)
Discover more on how ZoneFox can support your compliance.
In order for an organisation to have an efficient personal data breach notification process, they will need visibility of data and all any transactions performed on said data. Whether in a database, on an endpoint, or anywhere else, you need to be able to track data flow from start to finish. And let’s not forget machines which are not connected to your network! You need to be able to analyze what users have done with systems while they are not connected to your network, should a data breach stem from activities performed whilst connected off-site. ZoneFox is always monitoring your assets, whether it is a user, system, or data, which makes this type of reporting possible.
ZoneFox leverages 3 ‘pillars’: the forensic record, the rules engine, and the machine learning capability. These elements work in parallel to provide a complete breach detection and incident response worthy of the GDPR. First, the rules engine and AI allow you to detect a potential breach whether it is something that was potentially predictable (rules engine) or the unpredictable breach (AI). Examining the forensic record of data transactions will help analysts detect potential data breaches and gather information about the breach. Identifying a potential breach rapidly and accurately significantly reduces the scope (and therefore cost) of a breach investigation.
If a breach has occurred, ZoneFox’s simple-to-use search capability gives you instant access to the activities of a user’s account and a complete record of data access. You can also easily see who accessed data and when, and what happened to it. A single search can tell you roughly how many users are affected, and how much data has been affected. Understanding those two factors provides insight into likely consequences and helps formulate a remediation plan to be communicated as part of the notification. Understanding categories and number of users and data affected can be the hardest part of GDPR breach reporting, as mitigation strategies and consequences should already exist from threat risk assessments and incident response planning.
As mentioned earlier, it can take approximately 200 days to detect a breach, which means there will likely be a lot of data surrounding the breach. Trying to collect sufficient information to make a complete breach notification 200 days after the fact within the 72 hours disclosure limit is unrealistic unless you are pre-prepared. Alerts fired by ZoneFox’s AI and rules engine can drive down the time to discover a breach, however, thereby protecting customers and making breach reporting far more efficient. ZoneFox drives down the time to discover a breach and therefore the size and scope of a notification. The overall benefit: less hassle and fuss.
What happens if we don’t comply?
What happens if breach notifications are late or incomplete? Well, the fines are set at a maximum of 20 million Euros, or 4% of your global turnover (whichever is larger), so it’s best to have the mechanisms in place to help you perform timely, detailed personal data breach notification. That’s a lot of money, but fiscal penalties are really just the tip of the iceberg.
Your organization’s reputation is on the line, when it comes to the security of your users’ data. There are very few companies out there that are big enough to keep operating without major disruption after a data breach has occurred. Sure, we’ve seen data breaches pertaining to large organizations from the .com era, but not all companies will be able to recover the way the titans do. Taking steps toward keeping your users’ data safe – and monitoring it well enough to provide accurate breach reporting should such an unholy event occur – truly is paramount. Reputation aside, even, there is always someone who is willing to step up and perform where your organization didn’t, so above and beyond your reputation, you can lose a lot of valuable business to competitors in the same field.
In summation, there is a lot on the line when it comes down to the EU GDPR breach notification laws. You need to ensure that you are, confirming, analyzing, and reporting personal data breaches within that 72-hour limit post breach notification. The odds are stacked against us when it’s a race against the clock, but with ZoneFox on your side, accurate, detailed breach notification within 72 hours is possible. Let us help you plan out your GDPR breach reporting strategy.
+44 (0) 845 388 4999