Incident Response and General Data Protection Regulation
Contributors: Matt Aubert
A new regulation is upon us. Set to take effect on May 25th, 2018, the General Data Protection Regulation (GDPR) is a new law implemented within the European Union (EU) to provide stronger protections for personally identifiable information collected, processed, and stored by business entities. In a globalized economy, the GDPR will have a significant impact on the technical and organizational measures of many non-European companies. Any organization that collects and processes information belonging to EU citizens will have to comply with provisions specified under the new convention. For this reason, corporations of all sizes are scrambling to meet the requirements as the final implementation date of the law quickly approaches.
GDPR deals with numerous aspects of the corporate structure. This article will address provisions related to Incident Response (IR) planning. To underline the need for a validated IR procedure, this post will reference specific parts of the law. A proven IR plan will lend GDPR compliance and provide a framework for practical Incident Response.
Incident Response Planning and Testing
Having an incident response plan is a significant step toward preparing for GDPR. Article 29 Data Protection Working Party, set up specifically to clarify parts of the GDPR, agreed that breach prevention and response is key to any security policy. Specifically, Article 32 of the law states that technical and organizational measures need to provide:
“(b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data on time in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
Before moving further, it is important to note that GDPR details the difference between a security incident and a “personal data breach.” Per Article 4(12), a personal data breach is:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Effective incident response plans should clearly define a course of actions for when a security incident involves what constitutes as personal data under the GDPR. It is important to state that not all security incidents will result in loss, destruction or damage of such data. For that reason, such instances would not fall under GDPR’s scope and breach notification requirements.
Incident response procedures should ensure that all related points listed in the GDPR are addressed explicitly in the identification, containment, eradication, recovery, and post-incident stages of the incident response lifecycle. Additionally, those procedures should be continuously reviewed and practiced using scenarios based on real-life situations.
For the Cisco Incident Response Service, this means an alignment of our proactive services to meet clients’ need to prepare for GDPR. Our IR retainer service extends three proactive services: table-top exercises, incident response readiness assessments, and incident response plan and playbook development. All align with preparation for the law.
Drafting security plans can be a painstaking task. Third-party review can provide a fresh set of eyes to find gaps in documentation or the security stack. We help draft custom IR policies to fit organizations’ needs. Such plans will enable teams to provide swift response to security incidents. Planning can help lift the fog and allow teams to see the path to recovery, all while staying up-to-date with GDPR’s new requirements.
As the General Data Protection Regulation is dissected, all incident response teams need to be aware of the breach reporting requirements that will be introduced with the upcoming legislation. It is the incident responders’ responsibility to seek out and report the truth if an appropriate level of certainty exists that personal data was breached. When such determination is made, the incident response plans in place need to address both the notification to the supervisory authority and the data subjects themselves.
Article 33(1) states that:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
Additionally, the organization impacted by the breach is now responsible for informing the affected subjects per below excerpt from Article 34(1):
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
Of course, not all personal data breaches will result in “a high risk to the rights and freedoms of natural persons.” Incident responders need to have a clear set of documented guidelines on when to initiate breach notification processes. With the above requirements in place, possessing stress-tested incident response plan is more important than ever. A 72-hour notification window requires that the teams in charge of responding to security incidents are not only enabled in detection but also skilled and experienced in following the incident response procedures in place.
Table-top exercises are a great way to test whether your team understands the incident response plan and whether all stakeholders know their responsibilities during high-stress situations. At Cisco, each organizations’ people, processes, and technology are taken into account when developing a relatable Table-top Exercise. Keeping the participants engrossed throughout the exercise allows for a successful examination of how the jncident response process would be performed during real-life scenarios. To gain an idea of how our Cisco Incident Response team handles incidents, please watch a replay of one of the recent webinars, “Dissecting a Breach: An Incident Responder’s Perspective”.
Financial fines introduced by GDPR are steep. Per Article 83(5), penalties can amount to 20 million Euros or 4% of global turnover. The large sums specified here deal mostly with how organizations collect, process, and enable data that belongs to EU citizens. Such policies are almost always completely out of the hands of incident responders. However, it is important to note that by having inadequate technical and organizational measures in place, organizations will now be also subject to administrative fines as specified in Article 83(4):
“Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).”
The above referenced GDPR Articles largely relate to incorporation of security and data protection in the Information Security and Technology departments within organizations in question. Security preparedness policies such as incident response would fall within these articles, and lack of the necessary incident response plan would amount to fines specified in the article.
Reaching compliance under GDPR should not be a matter of satisfying regulatory checkboxes. A proven incident response plan can help organizations detect and contain incidents before they result in personal data breaches. Massive data exfiltration is usually the byproduct of adversaries residing within the networks for prolonged periods of time. On many occasions, failures within the incident response stages is what allows the attackers to maintain in an environment or remain unnoticed altogether. A successful IR implementation will not only stop attackers from wreaking additional havoc in organizations’ networks but allow for avoidance of GDPR related violations while ensuring strong positive brand recognition.
Having a partner who can help guide through the new regulation will provide practical improvements to the overall security posture. Identifying errors in security is difficult without an unbiased third-party review. Services such as Cisco Incident Response can provide that type of expert review.
Additional information on GDPR can be found here.