Incident and Breach Response is an important privacy and security tool for compliance in relation to the protection of personal data. It is one of the tools for mitigating and preventing risks to the rights and freedoms of individuals by notifying supervisory authorities and/or affected individuals upon learning of personal data breach. Here is a summary of the practical incident & breach management challenges and how software can help you to successfully tackle them.
Steps to Successful Incident and Breach Management
ONE| Spot the Breach
The first and foremost requirement for successfully managing any personal data breach is learning about it in the first place. While this may seem obvious, the average time between incident occurrence and its discovery is often around 6 months. You should not underestimate your breach detection mechanism and trainings. You rely on all your employees and vendors to be your allies in preventing and spotting security incidents.
Regular internal privacy and security trainings can have a huge impact on your employees’ ability to identify an incident and know how to report it. For that, you should have a highly available and easy to use reporting tool that everyone is familiar with and comfortable using. Similarly, your vendors should know how to reach you in case of any incidents (and vice versa) and you should check that they track their vendor’s incidents’ as well.
Privacy software is excellent to help you with heavy lifting for many of these requirements. OneTrust Incident & Breach Response can help your organization track and document all the incident reports – both internal and from vendors, as well as their mitigation and management. This way, you can keep track of the breach investigation progresses, breach notifications per different jurisdictions and overall company breach management status.
TWO| Assess and Investigate the Breach
Key element of the next stage in breach management is being able to tell if a breach is serious. Determining breach seriousness, i.e. what risks does the breach pose, is critical for your privacy compliance.
Depending on the jurisdictions where your organization operates, you may wish to consider which privacy laws’ breach notification thresholds to include into your breach assessment. Many privacy legislations globally incorporate elements of risk (similar to GDPR), types of data involved (with some types of data involved signifying serious breach), and number of individuals affected – based on the numbers it is then determined whether regulators are to be notified etc.
Once a breach occurs, make sure you have in place (I) breach response team representing all key departments (and possibly vendors), and (ii) a written set of steps on how to investigate it and proceed with its mitigation. Instead of an abstract compliance document, try to produce structured and practical step-by-step plan that your breach response team can follow both for prevention and for managing breaches.
If you operate globally, it is essential to prioritize investigation of which states’ residents are affected by the breach – this determines your notification obligations.
OneTrust Databreachpedia™ helps your organization understand the different breach notifications per country and establish which thresholds are relevant to your particular situation and what should be your next steps. OneTrust Incident & Breach Response then helps you to keep track of all the incidents reported within your organization as well as the stages and progress of related breach investigation and notification processes. All of this is included in a format that also serves as breach documentation.
THREE| Mitigate the Breach
Mitigation of breaches always depends on their nature – misaddressed email would be treated differently than a phishing attack. In all cases, mitigating the breaches is very much a team effort – involve your Security, IT and other teams wherever needed. The decisions on mitigation steps should be coordinated within your breach response team and management should be aware at least of the more important ones.
Whichever steps you take to address the breach and mitigate its negative impacts, make sure that you always document your steps – these are going to be helpful proof of how you comply with your related obligations. Privacy software can be a great central hub for all information on an incident, including any mitigation action taken. By virtue of every department having access to certain portion of the tool, it’s easier for everyone to contribute what they have done on the matter, and for your privacy office to track the overall progress.
FOUR| Communicate and Document the Breach
Given today’s global market, a personal data breach will often affect individuals located in more than one jurisdiction – and will concern organizations in and outside the EU. In most cases, you also cannot rely on a ‘one-stop-shop’ mechanism’ to simply your reporting.
With regards to the GDPR, ensure ahead of breach notification that ‘one-stop-shop’ notification principle applies to you. Even when relying on it, consider proactively informing other Member State regulators or indicating to your lead supervisory authority that individuals in other Member States may be affected. Every regulator also likely has their own preferences (or even forms) for notifying personal data breaches – it saves time and energy on both sides if you stick to these when reporting breaches.
Regardless of whether you notify or not, documenting every step of your breach management is paramount – both for compliance and for your next security measures. Establish and maintain documentation of all personal data breaches you detected, even those not notified to regulators or individuals.
OneTrust’s Incident & Breach Response includes customizable privacy laws triggers to help you automatically determine which privacy laws need to be considered. Furthermore, it contains global breach notification templates respecting minimum notification requirements of each country and practical details on which contact information to use. It is also great for tracking and documenting incidents throughout all their stages and can be used for tracking the duration of breach investigation and other key metrics.
FIVE| Further Guidance and Software Tools to Help
OneTrust Ultimate Incident and Breach Management Handbook goes into detail on the specific breach notification requirements, and it transforms these into practical suggestions and steps that companies should take towards maintaining the formalized and truly effective Incident & Breach Management Program that functions on a global scale.