As data breaches and other security incidents are the dominating cause of regulatory fines in areas like security and data protection, prevention and proper management are becoming a priority for many organizations. Proper technical and security measures are essential in preventing security incidents. Nevertheless, when managing incidents, it can be challenging to identify and properly follow all the applicable rules and mandatory notifications of different regulators.
To flesh this out, let's compare three main EU regulatory norms with incident reporting obligations — the EU General Data Protection Regulation, Second Payment Services Directive, and Network and Information Security Directive — to find synergies and areas of overlap to provide efficient and simple guidelines for companies that fall under several frameworks.
Personal data breach according to GDPR
Probably the most familiar law regarding incident management obligations is the GDPR. Controllers in the European Economic Area that encounter personal data breaches associated with specific risks are obligated to notify the supervisory authority and, in some cases, the affected persons of the breach.
Guidelines on how to assess risks triggering personal data breach notification with some practical examples were provided by the former Working Party 29, which was replaced by the European Data Protection Board.
Several companies are currently facing huge fines imposed by data protection regulators in relation to data breaches. For example, the U.K.’s Information Commissioner’s Office recently fined British Airways 20 million euros for failing to protect the personal and financial details of more than 400,000 customers. The ICO also fined the Marriott International hotel group 18.4 million pounds, again in relation to the personal data breach inherited during the Starwood acquisition. A telco company in Germany was fined almost 10 million euros for insufficient measures to prevent unauthorized access to personal data.
According to a DLA Piper report published at the beginning of 2020, more than 160,000 data breach notifications were reported across the EU, Norway, Iceland and Liechtenstein since the GDPR entered into force, totaling 114 million euros in fines. All of this data reveals the significant importance of proper data breach management.
Other EU regulations on security incidents
As mentioned above, the GDPR is not the first and only EU legal act that contains incident management requirements. In less than one year, three different legal acts regulating security incidents and related rights and duties were introduced in EU law. The other regulatory frameworks are identified below.
Second Payment Services Directive
The PSD2 and its providing acts oblige all payment service providers, i.e. banks, electronic money institutions and payment institutions including payment initiation service providers and account information service providers, to implement proper security measures and to manage operational and security incidents. In the event of a major operational or security incident, the payment service provider must notify the competent authority, usually the central bank. The notification shall be done without undue delay. If the incident has or may have an impact on the financial interests of the clients, the payment service provider shall inform the clients of the incident and of all measures that they can take to mitigate risks caused by the incident (Article 96 of the PSD2).
The European Banking Authority published detailed guidelines on how to assess the individual incident and the severity based on seven different aspects, like the number of clients and transactions affected, payment service downtime or the reputational impact of the incident. The guidelines include "standard notification templates" and "the procedures for notifying such incidents."
Network and Information Security Directive
The NIS Directive regulates the level of security of network and information systems for certain categories of subjects. These subjects are mainly operators of essential services, companies of significant size in areas like electricity production, distribution and transmission, banking, financial market infrastructure, health care etc., and digital service providers, i.e. provider of information society service containing online marketplace, online search engine or cloud computing services.
The above-mentioned categories of organizations are obligated to implement appropriate and proportionate technical and organizational measures and to manage security incidents. They are obliged to notify of incidents with significant impact to the competent authority, national cybersecurity agencies, or to the relevant computer security incident response team, again without undue delay.
All three EU legal acts are in place to protect the different public interests, such as development, protection and security of internal financial market (PSD2), protection of individual privacy and other basic rights (GDPR), and security of network and information systems for vital services (NIS).
Definition of the incident and criteria for the severity assessment, scope of the obliged organizations, notification lines and notification deadlines are different in each legal act. Nevertheless, one specific entity could be in the regime of two, or even of all three regulations, for the same security incident. This may cause a significant increase in the internal complexity and more capacities used for two or three different internal processes at the expense of the security itself.
How to lower the complexity of security incident management
Security incidents in all three EU legal acts are defined in a slightly different way and the same applies to the corresponding processes. To avoid unwanted complexity, the following common measures can be implemented in organizations, which are obliged to manage the incidents within two or three regulatory frameworks:
- Create a unique internal escalation channel for incident reporting covering all types of incidents including malfunctions of applications or transmission systems, unavailability of internal information, and data breaches. This step may significantly simplify the internal escalation to the employees and give organizations more time to deal with individual incidents.
- Create one department to assess or coordinate the assessment of all regulatory relevant incidents. This department should be responsible for the incident assessment for the regulation that applies to the specific incident and evaluating its severity by the affected regulation.
- This approach can help the organization avoid situations where the incidents are assessed in isolation and without consideration of other regulatory obligations. For example, if one department assesses the incident only from a cybersecurity point of view, the organization may fail to consider other regulatory obligations (like notification of the incident to the data protection authority) leading to a breach of law or unjustifiable delays.
- Create a separate department responsible for notifying and communicating with relevant regulators and affected individuals.One communication tone, style and range of information are important to manage the impact of the incident and to lower related regulatory and reputational risks.
- Create one register including, among others, description of all incidents, date of occurrence and date of internal escalation, severity, impact on data security (confidentiality, integrity and availability of the information or systems), impact on affected persons, applicable regulations, next steps toward regulators and affected persons, etc. Such a list could help improve internal processes in incident management and information security itself.
- There should be unified internal training on all incident handling and obligations of each employee. Employees, especially in big companies, are usually overwhelmed with too much training. Having only one training on incident handling, the importance of quick reaction and comprehensive information about internal escalation lines could lower this burden and increase the quality and benefit of the training. This should be a simple and brief procedure, or internal guideline, dealing with the topic in a consolidated manner and providing a practical, at-hand guide with clear, step-by-step instructions on how to proceed in case of an incident.
Conclusion
It is not an easy task to design and implement an efficient incident management system while considering all relevant regulatory aspects. In a time of stringent regulatory requirements in all areas, it is key to look at common points of different regulations and search for areas to integrate into single compliance systems.
Moreover, the effort to unify requirements and simplify reporting processes would be appreciated by regulatory authorities. There is no doubt that having a proper data breach management system is an important topic and each organization could benefit from harmonized rules.
Photo by Scott Graham on Unsplash