3 days is not a long time when the clock is ticking! And that is exactly how much time organisations are going to get when it comes to notifying the authorities of a suspected data breach that involves the personally identifiable (PII) data of EU citizens.
In the military they call it TCUP, thinking calmly under pressure and the same applies to incident response (IR). For many organisations, the concept of IR is still relatively new if indeed it exists at all! And where it is part and parcel of the security policies and procedures can be little more than a document that gets dusted off in a looming crisis.
Having practiced in the field of digital forensics and incident response (DFIR) for many years, it is rare to find a victim of a cyber attack who has got the process nailed. Looking at it positively, this can often be attributed to the fact that it is something that they have never encountered before. The reality is that because our consultants deal with these situations day in day out we very much do adhere to the TCUP principals.
Being prepared will be more critical than ever when GDPR takes full effect in May 2018. The potential fines suggest that any form of negligence or poor governance where data breaches are concerned is likely to prove extremely costly. And that's without factoring in the cost of legal representation to defend your position.
Foregenix recommend being incident ready, planning for what is now considered a near inevitability. Aside of a well rehearsed process to follow in the event of a data compromise, having immediate access to those who really know what they are doing gives you a fighting chance of complying with the 72 hour window. Whilst not every breach will necessitates such a notification, this is more than likely going to be a call that needs to be made by those well qualified in these matters rather than crossing your fingers.
The Foregenix Canary First Responder service combines innovative technology with our reputation for DFIR to provide businesses with all the support they need to minimise the impact of a data breach that could fall under the scope of GDPR.
Lawyers must also consult the data breach laws of other countries if the breach affects individuals living outside the United States. The European Union has a patchwork of data breach notification laws that vary among member states, but this will change with the introduction of the General Data Protection Regulation in May 2018. This new regulation will harmonize data breach notification law across the EU and require that controllers suffering a breach notify the appropriate national supervisory authority within 72 hours of learning of the breach and affected individuals “without undue delay.” Countries outside the EU have laws of their own: Australia, for example, just passed a breach notification law last month.