Privacy professionals who deal with EU regulations will need to rehearse their procedures for handling security breaches, panelists speaking at IAPP's Data Protection Congress 2016 in Brussels, Belgium, recently agreed.
The General Data Protection Regulation, which becomes effective in May 2018, requires companies suffering personal data breaches to notify regulators within 72 hours of discovering the breach. The Network and Information Systems (NIS) Directive, which has a similar timeframe, also introduces breach notification obligations for essential services such as banking and transport, although its transposition into various member states' laws will make it less harmonized than the regulation.
"You have to rehearse this stuff and it needs to be rehearsed from the CEO downwards. It's about the company's reputation," said Adrian Davis, EMEA managing director for the International Information System Security Certification Consortium, or (ISC)².
Davis brought up the examples of two major breaches in the U.K.: the late-2015 theft of more than 150,000 customers' details from telecoms firm TalkTalk, and this month's theft of 9,000 customers' cash from Tesco Bank. "[TalkTalk CEO Dido Harding] put herself out there and three days later she was a broken woman because it went so badly. Compare that with Tesco where they went radio-silent," he said, noting that neither company handled their respective incidents well.
"Practice, practice and practice," concurred Quentin Taylor, Canon Europe's information-security director. "Do those exercises where you really test people. If you don’t practice, the first time you get to check if your processes and procedures work is when a real data breach occurs."
Robert Ball, chief legal counsel at Ionic Security, stressed that the correct procedures would be "cross-disciplinary, part of a large corporate compliance incident response plan." Davis, too, said: "First go talk to IT and security, because they're going, 'How do we do this? Help,' and have no idea you are [doing the same]."
However, Davis also suggested that the new mandates for breach notifications could end up clogging the system for a while. He pointed out how supermarkets in the U.K. had found that common stockroom thefts fell under the Proceeds of Crime Act, the country's main anti-money-laundering legislation, leaving them obliged to raise "hundreds of thousands of money-laundering reporting documents.
"It took about three years for everybody to classify and work out what was important, and I think the same thing is going to happen here," he said. "Our [data protection authorities] are going to get absolutely buried, and we're going to miss some of the more important breaches because people are over-reporting."
Taylor said he thought mandatory data breach notifications were an "excellent idea" because they would "force companies to take data protection seriously," but added that he worried "we might end up with breach fatigue," resulting in customers becoming "blasé" about all the breaches that they hear about.
Ball pointed out that 72 hours is a "very short window" in which to evaluate how serious a breach is. Indeed, as Alston & Bird partner Jan Dhont explained, data controllers have to notify data protection authorities about the nature of the personal data that has been affected, the number of individuals and the number of records that have been affected. However, Dhont added that it was possible to "phase" the information given to the authorities as it becomes available. "Breaches are, in cases, complex," he said.
Recently, Paul Nemitz from the European Commission's justice directorate recommended that companies invest in security in order to comply with the GDPR. He argued that the EU courts were likely to interpret the GDPR as demanding state-of-the-art security and suggested that these investments may help reduce the levels of fines that companies might incur after a serious personal data breach.
However, some of the panellists expressed scepticism over encryption of the personal data being any kind of cure-all. "If you don't look after the encryption key, then you are back to square one," said Davis. "Encryption is only a tool to help you; it is not the tool. You need processes as well. If you don't set your processes up properly, then forget it."
Taylor referred to the recent appearance of U.S. National Security Agency hacking tools in the hands of the "Shadow Brokers" group, which is trying to auction the tools. "Some of those tools have been shown to blow holes in manufacturers' products," he said. "I wouldn't rely on encryption."
The panelists also bemoaned the state of security for data held in the cloud, with Davis arguing that tight-margined cloud providers add "the minimum [security] they can get away with," and Taylor adding: "We're not at that point where security will be a thing most customers pay more for."
Truly, many players in the ecosystem seem to have a lot to consider before those notification mandates come into force in 18 months' time.