Regulator asks for industry feedback as it develops breach notification examples for a range of cyber-attacks
It’s the stuff of nightmares: your organization has fallen victim to a cyber-attack, and you need to work out how to handle your response.
The EU’s General Data Protection Regulation (GDPR) sets out basic requirements for notification but leaves room for maneuver, with data controllers required to assess risks and make decisions themselves on whether notification is required, and if so to whom.
However, the European Data Protection Board (EDPB) has acknowledged that GDPR doesn’t go into enough detail – and the regulatory body has now published a set of data breach notification examples and called for comment from the industry.
Making an example
The 18 examples in the Guidelines on Examples Regarding Data Breach Notification (PDF) include everything from ransomware attacks to mis-sent emails, with detailed suggestions of how the breach could have been prevented or mitigated, and on how it should be dealt with.
In one case study, for instance, a computer used by an agricultural company is exposed to a ransomware attack, and its data encrypted by the attacker. No electronic backup is available, only paper records.
The document lists the measures that should have been taken to avoid the problem – primarily, backups and encryption – and recommends that in this particular case, both the authorities and the data subjects should be notified.
Other scenarios include data exfiltration, internal human-related risks, lost or stolen devices and documents, post-related breaches and social engineering.
For each of these, there’s a discussion of the measures – if any – put in place by the data controller to protect personal data and prevent a breach; the circumstances surrounding the breach, the resulting risk, the mitigating steps that should be taken by the controller, and the controller’s ensuing obligations.
Room for improvement
The guidelines are being broadly welcomed by the information security industry.
“The data breach notification examples are helpful in that they clearly set out non-binding guidance to organisations in handling some of the most common scenarios,” says Adam Palmer, chief cybersecurity strategist at Tenable.
However, some observers say they don’t go far enough, highlighting the lack of detail on handling cloud service breaches.
“I would have liked to see the guidelines including 20 examples, so that cloud and third-party supplier breaches were explored in much greater detail,” Neil Thacker, data protection officer and CISO for Netskope, told The Daily Swig.
“All that we have in there at the moment is the recommendation of ‘disabling open cloud services’, which shows a lack of understanding of exactly how cloud services are being used in businesses.”
Bharat Mistry, UK technical director of Trend Micro, agrees.
“The shortfall I see in the report is that it doesn’t reference public cloud-based attacks, and in particular where an organisation is leveraging a mix of cloud native services like cloud file storage, serverless computing and containerised runtime for microservices,” he says.
“I would have expected to see references and examples to the shared responsibility model, so that controllers know where their responsibility lies.”
And, adds Dave Barnett, director of edge protection for EMEA at Forcepoint, “The practical examples cited in these new guidelines will be appreciated by users, but they could go further by offering legally watertight examples of communications that could be issued to the subjects involved should an incident happen.”
YOU MIGHT ALSO LIKE British Mensa website hit by cyber-attack
Another omission relates to the coronavirus pandemic.
“The new guidelines unfortunately do not include the specific risks which arise from work-from-home situations which has become so prevalent over the past year, and which will continue into the future to some degree even after Covid has largely been dealt with,” says Dave Waterson, CEO at SentryBay.
“Employees working from home, processing sensitive data, often through unmanaged devices, opens new vulnerabilities which should be dealt with directly in EU guidelines.”
The EDPB is calling for feedback, due by March 2 at the latest, which may mean that some of these issues are addressed. Interested parties can comment via the EDPB website.