incident and breach management: building a …...example: iso 27001 & gdpr •iso 27001 requires...
TRANSCRIPT
Incident and Breach Management: Building a Technical Response Plan
for Privacy & Security Teams
Breaches are Everywhere
New Mandatory Reporting Laws Cause Greater Levels of Transparency
United Kingdom
over 1,106 complaints or concerns in
the first month
Ireland
received 547 data breach
notifications, 386 complaints in the
first month
France
50% YoY increase in the number of
complaints in the first month
But What’s the Risk of Reporting?
Some jurisdictions
immediately
publish
Reputational
Impact
Financial Damage
The DPO Dilemma: High Risk vs. Low Risk Reporting
Today’s Agenda
1 | Privacy vs. Security Roles
3 | Lifecycle of an Incident
2 | Preparing for a Breach
4 | Combine with Other Compliance
Privacy vs. SecurityRoles and responsibilities during incident and breaches
BREACH Response plan: Security Team vs. Privacy Team aims
Security Teams Privacy Team
Ensuring measures in place to
protect the Personal
Information (PI)
ALL data are relevant for a
breach
Understanding why
the PI is processed and ensuring
legal safeguards are in place
Only PI is relevant for a breach
• Not ALL privacy breaches are security
breaches (e.g. Cambridge Analytica)
• Breach response must be tailored to
address this distinction.
Bottom Line: You Need Both
There Are Overlaps
Risk-Based and Impact-Driven Approach
Vendor-Vetting Audits
Information Security Policy &
Privacy Policy can rely on each other
Breach Response
Privacy Relies on (and Complements)
Security Safeguards
Security Teams Privacy Teams
Cooperation between Security and Privacy is KEY
Breach Response Plan
Security Privacy
Preparation StepsWhat you should have in place prior to a breach
Create the Playbook
Teams Legislative &
Contractual
Requirements
Additional Breach
Obligations
Know this and have it in place ahead of time
Consider Global Reporting Nuances
72 Hours 24+ HoursVaries state to state
30 Days 24 HoursDraft bill
Empower Your Organization
• It’s everyone’s responsibility
• Host regular trainings
• Get them the information they need
o Name badges with reporting info
o Internal hotlines/email servers
o Webinars, emails
• Foster openness, trust and respect to rid of the fear of
reporting
Tabletop Exercises
Tabletops help you understand how your response will work in practice
Executive
TabletopsWorking
Groups
Lifecycle of an Incident
Incident Categorization
Tier 1
Widespread
Impactful
Reputation Harming
Tier 2
Contained to Market
Below a Threshold
Tier 3
Unconfirmed
Lost personnel files
Misdirected emails
Each level has its own response and communications plan
24/7 Communications Meet 2-3 Times/Day Meeting not necessary
Identify the
incident and
become “aware”
72-Hour GDPR Action Plan
1
Investigate the
Breach
2
Address the
Breach
3
Notify the Breach
to DPA*
4
Inform the
Affected
Individuals
5
Not all incidents proceed into all of the stages above. This is the maximum.
*If you don’t report, you need to have a defensible position as why
Clear and Immediate Communications Strategy
Communication Strategy
Effected
Individuals
Relevant
Entities
With breach notification laws differentiating across the globe, consider going to the ‘lowest common
denominator’ for response
Press &
External
Document the Breach
Description of how the organization records data breach
incidents (including those not notified)
Required under some of privacy legislation (GDPR, selected
U.S. States as a part of the notification require information
about notified breaches in the last 12 months)
Contents: facts surrounding the breach, effects of the breach,
remedial action taken.
Review
How the breach occurred Effectiveness of response plan Update the
Playbook
Combine with Other Compliance
Look for Similarities and Save Yourself Time
GDPR Breach Response Obligations are similar to requirements under other
Legislation or International Standards:
Work with existing measures and enhance them to
fit the GDPR requirements too
NIS
Example: ISO 27001 & GDPR
• ISO 27001 requires mechanisms to:
o Quickly identify security incidents and to report them
o ensure a consistent and effective approach to the
management of information security incidents, including
communication on security events and weaknesses
• Managerial reporting structure created by the ISO 27001
requirements can be adapted to incorporate the
necessary DPA.
The GDPR Article 33 and 34 requirements are complementary to
the ISO 27001 standards
• Security personnel often discover first a security incident
– proper breach reporting channels can include notifying
the DPO or privacy leader. These will also be involved in
determining if the event rises to the level of a personal
data breach.
• Security and Privacy teams will need to work together on
crafting breach notice to the DPA (and potentially data
subjects).
Free Resources Available
The Ultimate Incident and Breach
Management Handbook
The Ultimate Incident and Breach
Management Handbook
onetrust.com/incident-toolkit
The #1 Most Widely Used Privacy Management Platform
PIA | DPIA | PbD | InfoSec
Assessment Automation
Privacy Program Management
Vendor Risk ManagementIncident and Breach Response
Marketing Consent, Preferences, & Subject Rights
Data Protection by Design and
Default (PbD)
Data Inventory, Mapping, Records
of Processing
Global Readiness and
Accountability Tracker
Privacy and Security Incident
Intake
Incident Risk Assessment
Automation
Global Data Breach Law Engine
Notification and Reporting
Obligations
3rd Party Privacy & Security Risk
Assessments
4th Party Sub-Processor Auto-
Detection
Vendor Compliance Scanning
Contract & DPA Management
Cookie Consent and Website
Scanning
Enterprise Preference Center
Universal Consent Management
Data Subject Rights Portal
Free GDPR Workshops4.5 IAPP CPE Credit Hours
OneTrust Certification Program in Select Cities
Monthly GDPR Webinar SeriesHosted by Top Tier Law Firms & Consultancies
RSVP TODAY
PrivacyConnect.com
2018 WORKSHOP SCHEDULE
Amsterdam
Dublin
Düsseldorf
Warsaw
Vienna
Manchester
Geneva
London
Zürich
Paris
Lisbon
Helsinki
Madrid
Tallinn
Bucharest
Copenhagen
Seattle
Portland
Chicago
Vancouver
Toronto
New York
Atlanta
Houston
Denver
San Francisco
Los Angeles
Rome
Stockholm
Brussels
Berlin
Munich
Oslo
Prague
Barcelona
Budapest
Hamburg
Belfast
Milan
Athens
”This was the best GDPR-focused conference I have ever been to. This was not just a
high-level look into requirements, but an in-depth educational experience for myself
and my colleagues.”
Boston
Washington
Austin
Charlotte
Phoenix
Sydney
Singapore
Melbourne
Hong Kong
Auckland
Tel Aviv
Dubai
Abu Dhabi
Doha
Visit Our BoothProduct Demos
Full Text GDPR Books
Free Tools & Templates
GDPR Workshops