Practical breach response guidance in a post-GDPR world
Enterprise management teams should increase early awareness of data security incidents across their organization to mitigate issues faster and avoid any further complications.
This should include constantly reevaluating any problem on an organization’s system and working closely with IT and legal departments, recommends Rory Conway, EMEA chief compliance officer at insurance firm MetLife.
“The industry has data incidents and we’ve had data breaches post-GDPR (General Data Protection Regulation) and pre-GDPR,” Conway said.
“We build up an awareness amongst our team and amongst our people of the importance of early notification of data incidents and data breaches.”
Insight and perspective
Industry has seen the number of security incidents throughout its European markets increase since the implementation GDPR, Conway said.
The first point of action is to confirm where the reported problem has occurred and whether it amounts to a data incident or personal data breach. Understanding the range of security issues that can occur, and how they may arise, is also important for future mitigation.
“Learn from any data breaches that you have, learn so that you're better next time at dealing with them and, in some respect, you can help try to avoid from them happening again,” Conway said.
Being able to identify a security problem effectively is key to this.
Some incidents may be easy to identify, or teams may only be working on a suspicion of something malicious having occurred, Conway said.
The situation calls for an organization’s standardized incident management process to kick in, regardless.
“Everyone should have an incident management process for dealing with data breaches and it kicks in on confirmation,” Conway said.
“The incident management team is the group that determines the lead on a data breach perspective on the enterprise and they need to do their preliminary factual gathering.”
Documenting steps taken in both investigating and assessing any security incident is essential, Conway said, as this will assist an organization in communicating the issue to various stakeholders, which might include its team, a regulator, or customers in an event of information being compromised.
“At this point, it might be early days, you want to be able to make a confident assessment as to the severity of the incident,” Conway said.
“Sometimes we can initially assess something as low, but then as things develop, perhaps there are more issues that signal a more significant threat.”
An underestimate of an incident’s severity can cause problems with regulators, Conway added.
“It can be much less of a problem if you classify something as a breach then if you misclassify something as an incident that should have been a breach,” Conway said.
‘Don’t go silent’
GDPR has served as a wakeup call to the processes that need to be in place for an organization to deal with the inevitable data breach or security incident.
The new rules dictate that enterprises operating in Europe must report an issue to a data protection authority within 72 hours of detection.
But there are cybersecurity measures to be learned in the processes that occur in the US, Conway said, despite the country’s current lack of federal data privacy legislation.
“The reality is that we [in Europe] tend to be loath to share our secrets with our competitors and with other market participants,” Conway said.
“But the more we share the more we can help protect each other from further issues.”
Sharing may influence how an enterprise mitigates an incident in the future, both short and long-term. Patching and ensuring that access to data is given to the appropriate people within an organization are examples of preventative action.
“Don’t go silent,” Conway said.
“This is another mistake that some of the more significant victims of attacks have done, which is to brush it under the carpet and not share information.
“It comes back to bite you,” he added.
In 2018, MetLife reported a data breach where the company had accidentally exposed customer information through an email attachment. The incident saw consumer Social Security Numbers, dates of birth, gender, address, and insurance coverage information put at risk.
“Don’t panic, follow your processes, and follow your plan,” Conway said.
“Don’t improvise, don’t respond on the go, take a systematic approach, don’t assume things, deal with the facts, where you make assumptions verify those assumptions and stick with the incident response plan.”