You’ve just discovered a breach that exposes your global customers’ personal information. It’s after May 25, so you are required to report the breach within 72 hours to comply with the EU’s General Data Protection Regulation (GDPR). The clock is ticking. Do you know the process for reporting the breach to the EU regulators? To your customers or the general public? No? Well, you’re not alone.
The 2nd GDPR Organisational Readiness report released in March from the Centre for Information Policy Leadership and AvePoint shows that breach notification readiness among global organizations varies widely. While 70 percent of the respondents have internal reporting procedures in place and 66 percent have an incident response plan, few (31 percent) have conducted a dry run of a breach scenario or have retained a PR firm (22 percent).
“You’re not going to have time to do a lot of legal research in a cyber crisis, especially if your systems are locked up by a ransomware attack,” says Michael Bahar, global co-lead of the cybersecurity and data privacy practice at Eversheds Sutherland. As increasing numbers of U.S. and global jurisdictions bring new or revised breach legislation and regulations online, research will only become more time-consuming, complex, and stressful—and time is of the essence during a breach.
Creating a master breach notification plan now that includes the mandated reporting steps for every relevant regulation will reduce the stress. Here’s advice for putting that plan together:
Collaborate with stakeholders and in-house experts
IT alone is not in a position to have all the knowledge needed to execute on even the most refined notification plans. Instead, “the lawyers, the security officers, crisis communication specialists and IT professionals all need to be lashed together at the hip,” Bahar said. “It takes their combined expertise and judgment.”
Bahar even suggests that your organization’s legal team might have to take a leadership role in the notification process. “The potential litigation and regulatory stakes are so high, not to mention the public relations and reputational stakes, so the lawyers need to be heavily involved,” he says. The legal team can help work out what is said and how it is said to best meet requirements and minimize risk—and they don’t need to be wasting time conducting time-sensitive legal research.
Many regulations require public disclosure of the breach, whether that’s to customers, shareholders, partners, and so on. This is where marketing and public relations teams can help with that communication. Here again, collaboration with the legal team is important. “What’s critical is that PR or crisis communications can’t be given carte blanche authority to release anything public facing without having a legal review,” says Bahar.
“By the same token, some lawyers don’t write in the way that’s going to be most comprehensible to the public, so the partnership between IT, crisis comms, security, and lawyers is again so critical,” Bahar adds.
Identify all the breach reporting rules that apply to you
This might be the most difficult part of putting a notification plan together. Soon, all 50 states will have privacy regulations, according to Bahar. Add to that any rules required by regulatory bodies and foreign countries in which you do business. Your organization’s legal team should be tracking all the regulations it is subject to.
Tools like the BreachLawWatch (a free download via the Apple App Store or Google Play) mobile app from Eversheds Sutherland can provide a quick overview of global data breach statutes and help inform you whom to notify, when to notify, and what needs to be in the notification. “However, what you say in that notification is crucial, and that comes down to judgment and experience,” says Bahar.
The questions you want to answer here are, “What do I say and how do I say it?” according to Bahar. You need answers for both the regulatory bodies and whomever the breach affects: customers, partners, or employees.
Even if some regulations have similar notification requirements, they might not apply equally to your situation. That often depends on how the regulations define core concepts. Both the New York Department of Financial Services and the GDPR require that a breach be reported within a specific amount of time. What you need to report might be different depending on what data was breached, Bahar notes, because they define personally identifiable information (PII) differently. “A solid breach notification plan will give you a sense of how to apply [the rules] to what you report,” he says.
To build or not to build notification templates
Creating notification templates where you can plug in data specific to the breach might seem like a time-saving idea, but it might not be practical. “There is no real check-the-box approach to notifications because the key questions of ‘do I need to notify,’ ‘when do I notify,’ ‘what do I say in that notification,’ are all momentous decisions,” says Bahar. “Those momentous decisions can take a bad day and make them tragic if they’re done incorrectly, or they can keep a bad day from turning tragic if they’re done right.”
However, Bahar does see some value in pre-scripting some notifications in advance. “The facts are really going to matter. The value in pre-scripting these notifications is in the team working together, knowing that no one should release any of these documents without having a legal review.” The process also gives the lawyers the opportunity to fully understand the technical aspects so that “they’re not wasting time when the clock is ticking trying to understand technical terms,” he says. “You can draft templates, but if you stick too closely to a template, you may also be making a mistake.
Expect the rules to change
The privacy debate, sparked by the Cambridge Analytica/Facebook scandal and high-profile breaches such as Equifax, is pressuring regulatory bodies and governments to put more regulations in place. Consider your breach notification plan a living document that needs to be updated on a regular basis.
“Cybersecurity has to be a continuous culture,” says Bahar, “not only because the threats evolve so rapidly, but the regulations also are evolving rapidly. “It’s not a one-and-done; it’s not a check-the-box exercise.” He stresses that collaboration with others who have a stake in following the relevant regulations is key.
Do a dry run
Breach notification needs to be part of any cybersecurity training, Bahar believes. “It’s like the military. You’re only going to fight as well as you train. If you’re not going to train, you’re not going to fight,” says Bahar. “In cybersecurity, it’s a fight.”
That training will help security, IT, and legal teams notice when a regulatory process, like notification, is out of date. “Continuous training is something that’s required of certain regimes, and it’s just a really good idea,” says Bahar.
A global regulatory strategy
Knowing all the notification rules—what to report and when—won’t be enough. You need to be savvy enough to understand the complexities and nuances that all the different statutes create. “Having a global regulatory strategy is critical,” says Bahar. “If you notify one, you may have to notify another even if you didn’t have to notify the other as a matter of course. No regulator wants to read about something in tomorrow’s paper that they may have purview over.”