Responding To Data Breach Incidents

Data Breaches can occur anywhere and without any warning – in spite of implementing all the required protocols and processes. At such times, an ideal response plan provides a clear roadmap by referring to recommended Standard Operating Procedures (SOPs) when a breach is discovered. It is detrimental for companies who take their time in reporting breaches as fines can be hefty. This is the case for Twitter (fined €450,000) and Booking.com (fined €475,000) who found out that delayed data breach notification is a costly affair!

When is Data Breach notification required?

Before we start, let’s review the data breach notification flowchart to understand when notification is required according to regulations so that organisations will know when to put the response plan into action.

Timeframes for Notification

The Personal Data Protection Commission (PDPC)'s infographic below illustrates the timelines for assessment and notification of data breaches to the PDPC and affected individuals.

Upon determining that a data breach is notifiable, the organisation must notify:

1. The Commission as soon as practicable, but in any case, no later than three (3) calendar days; and
2. where required, affected individuals as soon as practicable, at the same time or after notifying the Commission.

These timeframes for notifying the Commission and/or the affected individuals commences from the time the organisation determines that the data breach is notifiable. Any unreasonable delays in notifying the relevant parties will be a breach of the Data Breach Notification (DBN) Obligation.

Where an organisation is required to notify affected individuals of a data breach, it should notify the affected individuals at the same time or after it notifies the Commission.

Source: Personal Data Protection Commission, Singapore

Key Recommendations

In order to effectively manage various nuances of responding to data breaches in a timely and accurate manner, it is recommended to follow a systematic approach via the Data Protection Management Plan (DPMP). An organisation should consider the following factors as they are interconnected when putting this plan into place:

1. Data Inventory: Required for Data Mapping
2. Data Mapping: Mandatory to map data for identifying risks
3. Identifying Risks and what can be done:
   1. Accept Risks
   2. Avoid Risks
   3. Reduce Risks
   4. Treat the Risks

A comprehensive DPMP can help in plugging gaps by drawing attention towards questions like:

• Is everything in place to comply with the protection obligation?
• Has penetration testing and vulnerability assessment been conducted?
• Is there a budget in place?
• Has there been a management sign-off to the plan?

C-A-R-E: The 4-Step Framework:

The Singapore’s PDPC also has a good framework for organisations to start the Data Breach Response plan in the form of the acronym, CARE (Contain, Assess, Respond and Evaluate). In a separate article on managing data breach response, we have included the details on the CARE framework.

Can incident handling be automated?

It is possible for incident handling to be automated to an extent as there are some software platforms that enable the Data Protection Officer (DPO) to manage the data breach response activities. Straits Interactive’s DPOinBOX platform is one such platform.

The following images are screenshots of incidents & requests from the DPOinBOX, a platform which aids organisations in managing their DPMP.

The DPOinBOX software also incorporates the CARE (Contain, Assess, Report and Evaluate) framework mentioned earlier. This systematic approach of recording incidents through each category in CARE helps the DPO manage the breach more effectively. In this case, the DPO is inputting details of the loss of the hard disk incident.

After the inputs, the DPOinBOX software delves deeper into the details of the incident by having an incident analysis function. The DPO can use this function to generate the recommended actions for incident response.

The Breach Management function in DPOinBOX provides the DPO with an overview of the breach incidents and requests. In this section, DPOs can find information about the incidents, including the nature, date, staff who reported it and when it was reported. These details are useful especially when having to present to either management or the regulators if it is a notifiable breach.

Conclusion

In this digital age, data breaches can occur in any organisation, at any time. It is critical for organisations to understand the timelines involved in reporting breaches to the regulators and what information is needed when reporting. In this aspect, data protection management software such as DPOinBOX is effective in helping DPOs manage breach response easily and effectively.

Article By: Aman Khajanchi

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.