First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Similar documents
NEWSFLASH GDPR N 8 - New Data Protection Obligations

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Data Breach Notification Policy

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Stopsley Community Primary School. Data Breach Policy

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

The Role of the Data Protection Officer

Element Finance Solutions Ltd Data Protection Policy


Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Creative Funding Solutions Limited Data Protection Policy

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Breach Notification Form

ARTICLE 29 DATA PROTECTION WORKING PARTY

How the GDPR will impact your software delivery processes

Cybersecurity Considerations for GDPR

Clyst Vale Community College Data Breach Policy

All you need to know and do to comply with the EU General Data Protection Regulation

Data Protection Policy

Eco Web Hosting Security and Data Processing Agreement

Prohire Software Systems Limited ("Prohire")

General Data Protection Regulation (GDPR)

Data Breach Incident Management Policy

Information Governance Incident Reporting Policy

Unified Communications Phase 2 Presentation to IT Services Users Group

General Data Protection Regulation (GDPR) The impact of doing business in Asia

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

National College for High Speed Rail DATA BREACH NOTIFICATION PROCEDURE

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Knowing and Implementing the GDPR Part 3

GDPR Controls and Netwrix Auditor Mapping

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Requirements for a Managed System

General Data Protection Regulation (GDPR)

Data Leak Protection legal framework and managing the challenges of a security breach

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

GDPR Compliance. Clauses

Data Breaches and the EU GDPR

Breaches and Remediation

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Data Processing Agreement

Privacy Breach Policy

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Data Breach Notification: what EU law means for your information security strategy

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Cybersecurity The Evolving Landscape

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Guide to Cyber Security Compliance with GDPR

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Cyber Risks in the Boardroom Conference

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

Managing Cybersecurity Risk

Altitude Software. Data Protection Heading 2018

GDPR: A technical perspective from Arkivum

DATA PROCESSING AGREEMENT

NYDFS Cybersecurity Regulations

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Introductory guide to data sharing. lewissilkin.com

Data Processing Clauses

The Cyber War on Small Business

Internet of Things Toolkit for Small and Medium Businesses

Cybersecurity and Nonprofit

Islam21c.com Data Protection and Privacy Policy

Employee Security Awareness Training Program

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

Information Security. How to be GDPR compliant? 08/06/2017

Designing GDPR compliant software

EventLog Analyzer. All you need to know and do to comply with the EU General Data Protection Regulation

A practical guide to IT security

1. Introduction and Overview 3

Technical Requirements of the GDPR

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

From Russia With Love

Mapping Cyber-Protections to Regulatory Requirements for Fintech

Learning Management System - Privacy Policy

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

EU General Data Protection Regulation (GDPR) Achieving compliance

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Data Encryption Policy

ADIENT VENDOR SECURITY STANDARD

Putting It All Together:

GDPR Incident Response Process 25 September 2016

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Business continuity management and cyber resiliency

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Data Protection Risks & Regulations in the Global Economy

General Data Protection Regulation policy (exams) 2017/18

A Security Admin's Survival Guide to the GDPR.

Dealing with Security and Security Breaches

Getting ready for GDPR

Embedding GDPR into the SDLC

Preparing for the GDPR

Transcription:

First aid toolkit for the management of data breaches Mary Deligianni Senior Associate 15 February 2018

What is a personal data breach? Breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data Examples: Loss or theft of a laptop or mobile phone (even if password-protected) Sending an email or letter to the wrong recipient Access to employees sensitive information left in an insecure location overnight

Types of personal data breaches Confidentiality breach unauthorized or accidental access or disclosure of personal data. Availability breach accidental or unauthorized loss of access or destruction of personal data. Integrity breach unauthorized or accidental alteration of personal data.

Overview of the obligations under the GDPR Notification to the DPA Communication to the affected individuals Internal record keeping of data breaches Who bears these obligations? Data controller vs data processor These obligations are not new! Sector-specific reporting requirements existed long before the GDPR (e.g. telecom providers, credit institutions, providers of electronic communications) NIS Directive (Cybersecurity Directive 2016/1148) imposes reporting obligations to operators of essential services and digital service providers

Risk evaluation No risk Risk High risk Criteria: Type of the breach Nature, sensitivity and volume of personal data Ease of identification of individuals Number of affected individuals Severity of consequences for individuals Special characteristics of individuals Special characteristics of the data controller

Review of the different scenarios Data breach that it is unlikely to result in a risk to the rights/freedoms of individuals Example: A CD containing backup data which are encrypted with state of the art algorithm is stolen during a break-in No need to notify the DPA and the individuals Company is required only to internally record the data breach

Review of the different scenarios Data breach that is it likely to result in a risk to the rights/freedoms of individuals Example: An attack from ransomware encrypts files containing personal data Company is required to notify the DPA and internally record the data breach

Review of the different scenarios Data breach that is likely to result in a high risk to the rights /freedoms of individuals Example: Cyber-attack on an online shop where usernames, passwords and purchase history are published on line by the attacker Company is required to notify the DPA and the individuals and internally record the data breach No need for communication to the individual if: application of appropriate technical and organizational measures on the affected data; or steps ensuring that the high risk is no longer likely to materialize; or communication would involve disproportionate effort, but public communication will be required.

Notification to the DPA When? Without undue delay and where feasible not later than 72 hours after the data controller becomes aware of the data breach. What information? description of the nature of the data breach, including categories and approximate number of affected individuals; name and contact details of the DPO or other contact point; description of the likely consequences of the data breach; and description of the measures taken or proposed to be taken to address the breach.

Communication to the individual When? Without undue delay. What information? description of the nature of the data breach; name and contact details of the DPO or other contact point; description of the likely consequences of the data breach; and description of the measures taken or proposed to be taken to address the breach. How? direct communication, unless this would involve disproportionate effort; dedicated to the data breach; drafted in clear and plain language; preferably, more channels of communication.

Flowchart showing notification requirements Controller detects the security incident and establishes if personal data breach has occurred The controller becomes aware of a personal data breach and assesses risk to individuals Is the breach likely to result in a risk to individuals rights and freedoms? No No requirement to notify supervisory authority or individuals Yes Notification to the supervisory authority Is the breach likely to result in a high risk to individuals rights and freedoms? No W.P. art. 29 Guidelines on Personal data breach notification under Regulation 2016/679 (wp250) Yes Communication to the affected individuals, including information on steps they can take to protect themselves from consequences from the breach Breach should be documented and record maintained by the controller

Long term consequences of a personal data breach Reputational damage Financial loss Loss of profits Damages in the course of litigation and settlement proceedings Administrative sanctions up to 10,000,000 or 2% of the group s annual turnover $ 3.62 million is the average total cost of a data breach* *2017 Cost of Data Breach Study of Ponemon Institute sponsored by IBM Security

Think proactively! Take steps to minimize the likelihood of data breaches Implement appropriate security and organizational measures that ensure the sufficient level of security appropriate to the risk. Where the processing is likely to result in high risk, carry out DPIAs to assess the risks and define the safeguards, security measures and mechanisms. Raise awareness and train employees as to how to identify threats and keep data safe. Impose strict security obligations to service providers/data processors and conduct security audits.

Think proactively! Be able to efficiently address a data breach when it occurs Prepare a Data Breach Response Plan. Set up an internal team for managing breaches. Establish KPIs to evaluate the responsiveness of the organisation. Explain to employees how to recognize a data breach and how to escalate a security incident. Select a lawfirm and IT provider to assist you with the handling of data breaches.

Think proactively! Be able to efficiently address a data breach when it occurs Impose strict notification obligations on service providers/data processors in case of a data breach in their systems. Prepare a communication plan and try to gain back the trust of your clients. Assess the need for cyber insurance.

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback