Incident and Breach Management: Building a Technical Response Plan

for Privacy & Security Teams

Breaches are Everywhere

New Mandatory Reporting Laws Cause Greater Levels of Transparency

United Kingdom

over 1,106 complaints or concerns in

the first month

Ireland

received 547 data breach

notifications, 386 complaints in the

first month

France

50% YoY increase in the number of

complaints in the first month

But What’s the Risk of Reporting?

Some jurisdictions

immediately

publish

Reputational

Impact

Financial Damage

The DPO Dilemma: High Risk vs. Low Risk Reporting

Today’s Agenda

1 | Privacy vs. Security Roles

3 | Lifecycle of an Incident

2 | Preparing for a Breach

4 | Combine with Other Compliance

Privacy vs. SecurityRoles and responsibilities during incident and breaches

BREACH Response plan: Security Team vs. Privacy Team aims

Security Teams Privacy Team

Ensuring measures in place to

protect the Personal

Information (PI)

ALL data are relevant for a

breach

Understanding why

the PI is processed and ensuring

legal safeguards are in place

Only PI is relevant for a breach

• Not ALL privacy breaches are security

breaches (e.g. Cambridge Analytica)

• Breach response must be tailored to

address this distinction.

Bottom Line: You Need Both

There Are Overlaps

Risk-Based and Impact-Driven Approach

Vendor-Vetting Audits

Information Security Policy &

Privacy Policy can rely on each other

Breach Response

Privacy Relies on (and Complements)

Security Safeguards

Security Teams Privacy Teams

Cooperation between Security and Privacy is KEY

Breach Response Plan

Security Privacy

Preparation StepsWhat you should have in place prior to a breach

Create the Playbook

Teams Legislative &

Contractual

Requirements

Additional Breach

Obligations

Know this and have it in place ahead of time

Consider Global Reporting Nuances

72 Hours 24+ HoursVaries state to state

30 Days 24 HoursDraft bill

Empower Your Organization

• It’s everyone’s responsibility

• Host regular trainings

• Get them the information they need

o Name badges with reporting info

o Internal hotlines/email servers

o Webinars, emails

• Foster openness, trust and respect to rid of the fear of

reporting

Tabletop Exercises

Tabletops help you understand how your response will work in practice

Executive

TabletopsWorking

Groups

Lifecycle of an Incident

Incident Categorization

Tier 1

Widespread

Impactful

Reputation Harming

Tier 2

Contained to Market

Below a Threshold

Tier 3

Unconfirmed

Lost personnel files

Misdirected emails

Each level has its own response and communications plan

24/7 Communications Meet 2-3 Times/Day Meeting not necessary

Identify the

incident and

become “aware”

72-Hour GDPR Action Plan

1

Investigate the

Breach

2

Address the

Breach

3

Notify the Breach

to DPA*

4

Inform the

Affected

Individuals

5

Not all incidents proceed into all of the stages above. This is the maximum.

*If you don’t report, you need to have a defensible position as why

Clear and Immediate Communications Strategy

Communication Strategy

Effected

Individuals

Relevant

Entities

With breach notification laws differentiating across the globe, consider going to the ‘lowest common

denominator’ for response

Press &

External

Document the Breach

Description of how the organization records data breach

incidents (including those not notified)

Required under some of privacy legislation (GDPR, selected

U.S. States as a part of the notification require information

about notified breaches in the last 12 months)

Contents: facts surrounding the breach, effects of the breach,

remedial action taken.

Review

How the breach occurred Effectiveness of response plan Update the

Playbook

Combine with Other Compliance

Look for Similarities and Save Yourself Time

GDPR Breach Response Obligations are similar to requirements under other

Legislation or International Standards:

Work with existing measures and enhance them to

fit the GDPR requirements too

NIS

Example: ISO 27001 & GDPR

• ISO 27001 requires mechanisms to:

o Quickly identify security incidents and to report them

o ensure a consistent and effective approach to the

management of information security incidents, including

communication on security events and weaknesses

• Managerial reporting structure created by the ISO 27001

requirements can be adapted to incorporate the

necessary DPA.

The GDPR Article 33 and 34 requirements are complementary to

the ISO 27001 standards

• Security personnel often discover first a security incident

– proper breach reporting channels can include notifying

the DPO or privacy leader. These will also be involved in

determining if the event rises to the level of a personal

data breach.

• Security and Privacy teams will need to work together on

crafting breach notice to the DPA (and potentially data

subjects).

Free Resources Available

The Ultimate Incident and Breach

Management Handbook

The Ultimate Incident and Breach

Management Handbook

onetrust.com/incident-toolkit

The #1 Most Widely Used Privacy Management Platform

PIA | DPIA | PbD | InfoSec

Assessment Automation

Privacy Program Management

Vendor Risk ManagementIncident and Breach Response

Marketing Consent, Preferences, & Subject Rights

Data Protection by Design and

Default (PbD)

Data Inventory, Mapping, Records

of Processing

Global Readiness and

Accountability Tracker

Privacy and Security Incident

Intake

Incident Risk Assessment

Automation

Global Data Breach Law Engine

Notification and Reporting

Obligations

3rd Party Privacy & Security Risk

Assessments

4th Party Sub-Processor Auto-

Detection

Vendor Compliance Scanning

Contract & DPA Management

Cookie Consent and Website

Scanning

Enterprise Preference Center

Universal Consent Management

Data Subject Rights Portal

Free GDPR Workshops4.5 IAPP CPE Credit Hours

OneTrust Certification Program in Select Cities

Monthly GDPR Webinar SeriesHosted by Top Tier Law Firms & Consultancies

RSVP TODAY

PrivacyConnect.com

2018 WORKSHOP SCHEDULE

Amsterdam

Dublin

Düsseldorf

Warsaw

Vienna

Manchester

Geneva

London

Zürich

Paris

Lisbon

Helsinki

Madrid

Tallinn

Bucharest

Copenhagen

Seattle

Portland

Chicago

Vancouver

Toronto

New York

Atlanta

Houston

Denver

San Francisco

Los Angeles

Rome

Stockholm

Brussels

Berlin

Munich

Oslo

Prague

Barcelona

Budapest

Hamburg

Belfast

Milan

Athens

”This was the best GDPR-focused conference I have ever been to. This was not just a

high-level look into requirements, but an in-depth educational experience for myself

and my colleagues.”

Boston

Washington

Austin

Charlotte

Phoenix

Sydney

Singapore

Melbourne

Hong Kong

Auckland

Tel Aviv

Dubai

Abu Dhabi

Doha

Visit Our BoothProduct Demos

Full Text GDPR Books

Free Tools & Templates

GDPR Workshops