Data Breach Digest: Planning for a data breach in a post-GDPR world by Michael Bruemmer
Since the European Union General Data Protection Regulation (GDPR) was announced in April 2016, with full adoption taking place on May 25, 2018, security and privacy experts have not stopped analyzing what the new regulations mean for companies across the globe. And while numerous industry leaders have outlined the changes coming down the pipeline - including a new definition of "Personal Data Breach" and a 72-hour notification requirement - there is still a sense of unease among security professionals, particularly because the GDPR won't just impact European companies; U.S.-based companies with European customer data will be impacted as well.
To help companies better understand the changes, I have outlined a hypothetical breach response and highlighted some of the key areas that I think companies may overlook as they plan to address data breaches post-GDPR. Proactively keeping a pulse on the changes will ensure there are no disruptions to a company's international operations.
The Situation
Imagine that fictional "Company X," a U.S.-headquartered, multinational company, discovered a data breach exposing nearly a million records containing personally identifiable information (PII) for customers in the United States and Europe.
Prior to the GDPR going into effect, Company X's response to the data breach would primarily focus on notifying authorities and consumers in the U.S. in accordance with applicable regulations and individual state laws.
However, when the GDPR goes into effect, Company X will have several other factors to take into consideration that may impact their response plans, including: standing up a multinational response team, engaging stakeholders on a global scale, and coordinating international consumer notification and support.
Coordinating a Multinational Response
Moving into 2018, a critical part of Company X's data breach response planning will be identifying and coordinating a multinational response team that can be activated in a moment's notice. This team of vendors - lawyers, communications specialists, a data breach resolution provider and forensic experts - can help Company X understand the local laws and customs, and can serve as "boots-on-the-ground" to support in the operationalization of market-specific activations.
To ensure a smooth response, Company X should identify these partners prior to a breach occurring - ideally during the data breach response planning phase. Depending on the extent of the E.U. resident data they are collecting, they may choose to set up a support team in each country of operation or even a centralized response hub.
Stakeholder Engagement
The new 72-hour notification law may be one of the biggest hurdles Company X encounters. It currently takes the average U.S. company 40 days to notify consumers after discovering a breach. Having a multinational response team coordinated in advance can be the difference between compliance with the law and sizable fines.
Company X's local legal partners should be able to provide guidance on engaging with the appropriate protection authorities (DPA) and exactly what information needs to be shared within the limited timeframe
Reaching out to regulators early can also reduce scrutiny and can help streamline the process. If possible, Company X should engage with stakeholders throughout the year to build relationships and get an understanding of the threats they are seeing.
Consumer Notification and Support
One of the biggest challenges Company X may face during a post-GDPR breach is notifying consumers and setting-up call centers in multiple languages. Although there is not a current time limitation to notify consumers, once a DPA has been notified, the breach will essentially become public. And consider this: in many of these markets, people are not used to receiving breach notifications so it's quite possible they will have more questions and concerns than occur with a standard breach in the U.S.
As laid out by the GDPR, consumer notification must be done "without undue delay" therefore, Company X will need to work with their data breach resolution and communications partners in all effected countries to ensure people receive notifications in the correct language, and are directed to a call center that can answer their questions.
Company X should also determine whether they are going to offer identity protection services to affected consumers. While not mandated by GDPR, these services can help quell the fears of those impacted by the breach. This decision will need to be made quickly, as information on the services should be included in the initial breach notification letter.
As seen with Company X's hypothetical scenario, preparation will be the key to a successful data breach response in a post-GDPR environment. It is also highly recommended that companies look beyond what they have previously planned for and anticipate what hurdles might come their way in the future. This will mean developing and practicing a response plan with multiple scenarios to ensure the company is prepared in the event of a multinational breach.
Given that the GDRP essentially creates a worldwide notification protocol, it will be important for U.S. companies - such as Company X - to prepare in advance for the new regulations and think beyond the mandated regulations. Responding quickly and effectively, assisting affected consumers and protecting a brand's reputation are all equally important for any company facing the reality of a data breach.
About the Author:
Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at michael.bruemmerSIW@experianinteractive.com.