Incident Reporting Requirements Under GDPR and CCPA Require Effective Incident Response

By John Patzakis
October 15, 2019

The European General Data Protection Regulation (GDPR) is now in effect, but many organizations have not fully implemented compliance programs. For many organizations, one of the top challenges is complying with the GDPR’s tight 72-hour data breach notification window. Under GDPR article 33, breach notification is mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach.  Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.GDPR-stamp

In order to comply, organizations must accelerate their incident response times to quickly detect and identify a breach within their networks, systems, or applications, and must also improve their overall privacy and security processes. Being able to follow the GDPR’s mandate for data breach reporting is equally important as being able to act quickly when the breach hits. Proper incident response planning and practice are essential for any privacy and security team, but the GDPR’s harsh penalties amplify the need to be prepared.

It is important, however, to note that the GDPR does not mandate reporting for every network security breach. It only requires reporting for breaches impacting the “personal data” of EU subjects. And Article 33 specifically notes that reporting is not required where “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”

The California Consumer Privacy Act contains similar provisions. Notification is only required if a California resident’s data is actually compromised.

So after a network breach is identified, determining whether the personal data of an EU or California citizen was actually compromised is critical not only to comply where a breach actually occurred, but also limit unnecessary or over reporting where an effective response analysis can rule out an actual personal data breach.

These breaches are perpetrated by outside hackers, as well as insiders. An insider is any individual who has authorized access to corporate networks, systems or data.  This may include employees, contractors, or others with permission to access an organizations’ systems. With the increased volume of data and the increased sophistication and determination of attackers looking to exploit unwitting insiders or recruit malicious insiders, businesses are more susceptible to insider threats than ever before.

Much of the evidence of the scope of computer security incidents and whether subject personal data was actually compromised are not found in firewall logs and typically cannot be flagged or blocked by intrusion detection or intrusion prevention systems. Instead, much of that information is found in the emails and locally stored documents of end users spread throughout the enterprise on file servers and laptops. To detect, identify and effectively report on data breaches, organizations need to be able to search across this data in an effective and scalable manner. Additionally, proactive search efforts can identify potential security violations such as misplaced sensitive IP, or personal customer data or even password “cheat sheets” stored in local documents.

To date, organizations have employed limited technical approaches to try and identify unstructured distributed data stored across the enterprise, enduring many struggles. For instance, forensic software agent-based crawling methods are commonly attempted but cause repeated high computer resource utilization for each search initiated and network bandwidth limitations are being pushed to the limits rendering this approach ineffective, and preventing any compliance within tight reporting deadlines. So being able to search and audit across at least several hundred distributed end points in a repeatable and expedient fashion is effectively impossible under this approach.

What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of days or weeks. None of the traditional approaches come close to meeting this requirement. This requirement, however, can be met by the latest innovations in enterprise eDiscovery software.

X1 Distributed GRC  represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints from a central location.  Legal, cybersecurity, and compliance teams can easily perform unified complex searches across both unstructured content and metadata, and obtain statistical insight into the data in minutes, instead of days or weeks. With X1 Distributed GRC, organizations can proactively or reactively search for confidential data leakage and also keyword signatures of personal data breach attacks, such as customized spear phishing attacks. X1 is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs and quickens response times while greatly mitigating risk and disruption to operations.