Data and Privacy Protection Legislation
Organizations that hold or process personal data have duties placed upon them to protect and safeguard that data. Modern legislation typically includes restrictions on the selling and buying of personal data, and on the purposes behind the collection of the data. The data subject or consumer has rights related to their personal data, and further obligations are placed on organizations to uphold and service those rights.
Failure to comply with your local data protection or privacy legislation—or any similar legislation from other geographical regions that apply to you—will have serious consequences. The loss of trust by customers damages what is often an organization’s greatest asset: its reputation.
Of course, there are more quantifiable damages too. Most legislation has the power to enforce financial penalties. The General Data Protection Regulation (GDPR) can see fines of EUR 20 million or 4 percent of the previous year’s annual global turnover—whichever is greater—imposed for the most serious infractions. These fines are imposed by the data protection Supervisory Authority of the relevant European country, or by the European Commission if the violation affects the citizens of multiple countries.
The Californian Consumer Privacy Act (CCPA) also provides for fines to be levied for non-compliances. They are enforced by the California attorney general’s office. There are civil penalties of USD 2,500 for each violation or USD 7,500 for each subsequent violation following the first incident, after a 30-day window of opportunity to apply remediation to fix the technical or procedural shortcoming that led to the original non-compliance.
Likely to have a larger impact, the CCPA also provides for private plaintiff’s to bring a civil action against the organization if the incident was a breach—unauthorized access and exfiltration, theft, or disclosure of personal data—that occurred because of a failure to implement reasonable security procedures and practices proportional to the nature of the personal information that was lost.
The CCPA is seen as something of a blueprint for other states to enact their own data and privacy protection laws. Nevada has already enacted some changes. The New York Privacy Act (NYPA) and the Washington State Privacy Act (WSPA) both failed to pass their legislative sessions in 2019, but there is an expectation that they will be resubmitted with changes.
Data Breach Investigations
Obviously, every effort should be made to prevent data breaches from occurring. But, no matter how secure your network, data breaches can happen. Breaches can result from a successful cyberattack such as a doxxing. And in Europe, it’s worth noting that the GDPR considers a ransomware attack a data breach because you’ve lost control of the data. Data breaches can result from the malicious intentions of a disgruntled insider or a staff leaver. They can arise from human error or an innocent mistake.
If you suffer a breach that’s serious enough to attract the attention of the authority behind your data protection legislation, there’ll be an investigation. Typically the investigators will consider some or all of the following points. Their findings in each case will either be a point in your favor or a point against you. The size of the fines in some cases can be reduced or increased according to the rating they give your network security, data governance and protection, and the facts of the incident itself.
The severity of the Breach What happened, and what was it that permitted the breach to occur? How many individual data subjects have been affected? If it was special category data such as medical or political information, or the personal data of children, the incident will be considered more serious. Root Cause of the Breach A deeper look at the circumstances that allowed the breach to occur. For example, was the network security penetrated, or were operational procedures ignored by an insider? What was the security failure, and how could it have been prevented? Saying it was an employee failing to follow procedure isn’t enough to get you off the hook. Because of the legal concepts of vicarious liability and respondeat superior an organization can be responsible for the actions of one of its employees. Communication and Mitigation Were there any actions you could have taken to lessen the impact of the breach for the affected data subjects, and did you take them? Did you alert the data subjects at the earliest opportunity, and did you provide advice to them? Did they know what happened, how it was likely to affect them, what you were doing about it, and what actions they should take? Network Security What steps had you taken to harden and protect your network? It’ll be obvious to the investigators if you take cyber security seriously—using technological measures, policies, and procedures, and staff awareness training—or if you run a plain vanilla network and just hope the bad things don’t happen to you. Previous Record Do you have a history of data breaches? If this is your first data breach you’ll be in a slightly better position than if this is the latest in a string of breaches. Cooperation How willingly you cooperate with the investigators and the Supervisory Authority will be noted. An open and honest approach is best. Don’t treat the investigators as the enemy. They’ll be able to provide great advice for picking off the low-hanging fruit to bolster your security. Tighter security doesn’t have to cost a fortune. Get their input and act on it. And give them the access and information they ask for. Formal Reporting Did you report the breach to the Supervisory Authority within their prescribed timescales? The worst-case scenario is when a data subject reports it before you do. If the breach was a result of a malicious action—internal or external—remember to report it to law enforcement. Certification Are you certified to any relevant quality scheme such as ISO/IEC 27001 or the United Kingdom’s Cyber Essentials? There are no certification schemes for Data Protection legislations, including CCPA and GDPR, so it is difficult to prove you are compliant. You must put in place the documentation and governance, notices on your website, and improve your security and operating practices as required, but no one will come behind you and rubber stamp your efforts. Having a certification in a cyber security or security management quality system won’t prove you’re compliant with the legislation but it will show that you are serious about data protection and privacy and that you are running to an approved and recognized system.
Planning Your Policy
Done thoroughly, there’s a lot of spadework and information gathering to be done before the Breach Handling Policy can even be drafted. Some of these action steps will need to be repeated periodically because situations change. And if they change, your policy might need to reflect the impact of those changes.
Identify Your Greatest Risks
This shows you what the most likely breach scenarios will look like. While you’re at it, do what remediation or mitigation you can to minimize the risks. You may choose to segment your network, use encryption, implement an intrusion detection system, set up automatic log gathering and scanning, or some other technological step that will provide alerts that something is wrong, and a degree of containment if there is an incident.
Perform Mapping Exercises
Create or update your Hardware Asset Register, and map your network. Understand what your hardware estate looks like, how it is aging, what will need replacing or upgrading, and when.
Perform a data mapping exercise—also called data landscaping—and record where your data resides, what it contains, who has access to it, and all other required information about your data that the legislation demands. You might have to record your purposes for gathering, processing, or storing the data, and who you share it with. You may need to record and retain evidence of consent if you have no other lawful basis for having that data. All of this will form your Data Asset Register.
Identify and rationalize user rights and privileges. Limit them as much as possible. Ensure you have a “new starter/leaver/role change” procedure to govern how you create or adjust privileges for new accounts and role changes, and to lock old accounts when someone leaves the organization.
Early Detection Is Vital
Infiltration of a network may go unnoticed. Unless the breach is detected and alerted to IT staff, threat actors may lurk in your network for days, weeks, or months.
An intrusion detection system (IDS) is a good idea, there are excellent open-source offerings such as Snort. It is important to establish a baseline of normal activity so that suspicious activity can be identified.
If your IDS detects suspicious connection attempts you might be able to stop the breach before it occurs. If log analysis uncovers inexplicable—but successful—connections made out of hours or from geographically puzzling IP addresses it may indicate that threat actors have managed to gain access.
The aim is to detect and act on threats as they arise, and prevent access in real-time, and to detect suspicious behavior to identify unauthorized access if they have managed to connect.
Dress Rehearsals
Once you’ve drafted your policy, give it a dry run. In the midst of a crisis, you need staff to follow it, not to go off-piste. Rehearsing the plan with the stakeholders and other players—the incident team—helps to drive home that the best strategy is to follow the policy, not to have scattered and over-excited people acting independently and often flailing counter-productively. Real breaches can have a dead-locked “busy but paralyzed” effect.
Doing incident walk-throughs and simulations to rehearse the policy allows the policy to be tweaked and improved. It establishes who has responsibility for what, and in what order the steps should be performed. It makes little sense to alert your Supervisory Authority, for example, before you have characterized the breach. Wait until you know how many records have been exposed and what type of personal data they contain.
Communication Is Vital
Don’t forget communication. This is one way you will be measured by the Supervisory Authority, customers, and affected data subjects alike. Assign responsibility for communications to a team or department. Ensure that only official channels are used to provide updates and have a single point of communication release. Update early and often and use simple, plain English. Be honest and transparent.
Remember to brief your own staff on what has happened. After all, their own data is in your network so they might be affected by the breach too. As a minimum, they need to know enough to field inquiries and to direct concerned callers to the official statement on your website.
You’ll also need to keep the C-suite or board of directors informed of the incident, and progress as you work through to resolution.
Provide Detailed Guidance
When a potential breach is suspected the incident team must be informed as a heads-up, and the policy followed to verify whether the breach is genuine. If it is, the team can be scrambled and start to assess the scope and impact. Was personal data involved in the breach, if so how many data subjects are involved? Has special category personal data been exposed?
Armed with this knowledge, the IT team can move to containment and remediation, and the communication team can start their cycle of updates and advice. It might be necessary, depending on the legislation you’re operating under, to contact all of the affected data subjects directly. GDPR requires this.
The steps need to be detailed and clear, but not so long-winded the teams spend their time reading instead of doing. Flowcharts and prioritized bullet lists are better than pages of dense text.
Breaches are sometimes unavoidable, but a strong response plan will help you minimize the disruption to business operations, the effect on data subjects, and the punitive measures from the Supervisory Authority.