Skip to content

7.0 - Breach Notification

7.1 - Timing

  • Article 33 of GDPR
  • If a data breach is likely to result in a risk to the rights and freedoms of natural persons, the breached party and the supervisory authority must be notified
  • The data subjects must be notified directly without undue delay, the notification must:
  • Use clear and plain language
  • Disclose the nature of the breach
  • DPO Contact Information
  • Likely consequences
  • Proposed mitigations
  • Internal Parties should be notified first:
  • Security and IT team(s)
  • Legal Teams
  • Relevant support teams e.g. front desk
  • Prepare responses
  • External supporting parties may require notification too, such as:
  • Law enforcement
  • Insurance carrier
  • Forensics
  • Public Relations
  • The supervisory authority must be notified within 72 hours once a company becomes aware of a breach
  • Supervisory authorities must know:
  • The nature of the breach (number of people and records)
  • DPO Contact information
  • Likely consequences
  • Proposed mitigation
  • The information to the supervisory authority may be provided in phases if not known immediately

7.2 - Public Relations

  • Reputation: the emotional connection stakeholders have with a company
  • Defined PR policies and procedures can protect an organisation's business and brand
  • In the era of social media, information can spread almost instantly
  • In the event of a breach, inaccurate contexts, poor publicity, and negative perceptions are all potential consequences that must be considered
  • Consequences can continue after a breach, as customers may not feel comfortable continuing with the organisation
  • PR Firms can mitigate this with preparation of materials in the event of a breach, including:
  • Notification letters
  • Social media and website content
  • Crisis management plans
  • Communication campaigns
  • Often PR firms are already involved within a business, so they can jump into the situation warm, rather than wasting time getting up to speed.

7.3 - Incident Response and Forensics

  • Incident repsonse (IR): An organised approach to addressing and managing the aftermath of a security breach
  • Objectives:
  • Avoid or minimize damage to customers
  • Avoid or minimize business loss (financial and data)
  • Meet industry and regulatory requirements, avoiding penalties where possible
  • Minimize risk of similar breaches in the future
  • To prepare for a breach, 4 key steps should be taken:
  • Set controls
  • Monitor systems
  • Assess risk
  • Educate and inform
  • Organisations should have a named incident commander
  • They should be the lead in identifying and containing the cause
  • They should execute a pre-created incident response plan and ensure the relevant parties are notified
  • Forensics companies involved with the organisation can also be used to carry out the analysis
  • Forensics teams bring many benefits including:
  • Threat and vulnerability consulting
  • Rapid Response
  • Neutral forensics
  • Expert technical analysis