New GDPR regulations require organisations to report a data breach within 72 hours – something with Barbara Kay, Senior Director of Security at ExtraHop, says might not be long enough for some. She talks to Intelligent CISO about some of the steps organisations need to take to ensure they are compliant.
Three days isn’t a long time. For some, it certainly won’t be enough to delve into the cracks of a breached organisation, lift minute details from the wreckage and explain to the government and customers why, how and to whom it happened.
Still, that’s the timeframe in which GDPR-compliant organisations will be expected to notify both regulators and the victims of a breach.
The requirement can be found in GDPR’s Articles 33 and 34. The articles state that breached organisations must report to both the regulator and the data subject (the owner of that data) within 72 hours of the discovery of a breach.
Under those requirements, organisations are going to have to ‘describe the nature of the personal data breach’. That involves drawing out a number of fine details. These include:
- how the breach happened
- how many data records were taken
- whose they were; what the impact of that breach might be to them
- how the breached organisation was using the exposed data
- the forensic details of the breach
- any remediation or mitigation plans that they have in place
And all of this will be done, the GDPR text states, ‘without undue delay’.
There are only a few exceptions to these rules and compliant organisations will have to document their breaches in detail even if they don’t need to directly report them.
A failure to report – or fulfill other GDPR obligations – could mean fines that run as high as 4% of global turnover.
The ability to quickly detect, respond and, most importantly, investigate breaches will mean a lot when it comes to meeting those obligations. It already takes 101 days – according to Mandiant – before the average organisation even discovers a breach but, when that breach is spotted, how quickly will they be able to investigate and report on it?
Most enterprises simply can’t monitor, detect, investigate or respond in the way that they need to effectively disclose within that 72-hour window.
It seems that most organisations freely admit that. A recent survey by the Ponemon Institute and the law firm McDermott Will & Emery showed that 83% of companies list reporting as the most difficult aspect of GDPR. What is perhaps more encouraging is that 68% realise that failing to comply with this aspect of the regulation poses the biggest risk to them.
Reporting is currently hamstrung by a number of problems, which will make a swift and detailed submission to GDPR regulators that much harder. They centre around four key areas of this process. First, scoping and root cause analysis, followed by containment and mitigation.
Scoping and root cause analysis are related but not the same. Scoping will help you understand the size of the impact crater – how much damage was done in the breach. The SOC can be best prepared with an accurate catalogue of assets in your environment and which data they process. With regard to GDPR, that means personal data.
You’ll need to effectively scope in order to begin root cause analysis, which requires the analyst to thoroughly explore and trace the activities and touch points of the attacker en-route to the exfiltration. This means finding accurate and current data on transactions and time series and then forensically reconstructing the steps of how an attacker broke into and made their way through your network. It also often means sifting through the human errors or simple misconfigurations that so often lead to breaches.
Essential to these digital forensics will be attaining visibility into the late stages of an attack. Often, enterprises focus on the information going in and out of their networks – North-South traffic – but on its own, this provides only a partial vision of what is going on inside a network.
In reconstructing an attack, looking at North-South traffic – how someone gained access to your network – is as important as analysing East-West traffic – what’s going on within your network. Both will be decisive in establishing root cause. This kind of visibility will allow you to answer vital questions like how systems were compromised, which hosts provided a base camp for the attacker, what type of data was breached and how and to where the breached data was exfiltrated.
Good scoping and root cause analysis will allow you to understand the nature and size of the disclosure you need to make and feedback process improvements to better contain and mitigate future threats. These will help you ensure that your reporting is complete and to make sure that there is no additional damage to notify consumers and regulators.
While many consumers are by now used to seeing breaches in the daily news, they’re more sensitive to serial disclosures of the same breach affecting the same brand again and again. If reporting is not complete and needs to be amended, repeated statements, apologies and interrogations in the press will not go down well with the spending public. First impressions matter and if you mess up your first disclosure, you may be setting yourself up for reputational damage more costly than any fine.
These four areas are integral to GDPR breach notification. Without them you’ll only be treating symptoms while leaving the cancer to spread. But these steps, effectively implemented, will prepare you for much more than just compliance.