small-logo
Need help now? Call 216.321.7774

Data and Privacy Breach Notification Plans: What You Need to Know

By Michael Nadeau, from CSO Online:

You’ve just discovered a breach that exposes your global customers’ personal information. It’s after May 25, so you are required to report the breach within 72 hours to comply with the EU’s General Data Protection Regulation (GDPR). The clock is ticking. Do you know the process for reporting the breach to the EU regulators? To your customers or the general public? No? Well, you’re not alone.

“You’re not going to have time to do a lot of legal research in a cyber crisis, especially if your systems are locked up by a ransomware attack,” says Michael Bahar, global co-lead of the cybersecurity and data privacy practice at Eversheds Sutherland. As increasing numbers of U.S. and global jurisdictions bring new or revised breach legislation and regulations online, research will only become more time-consuming, complex, and stressful—and time is of the essence during a breach.

Creating a master breach notification plan now that includes the mandated reporting steps for every relevant regulation will reduce the stress. Here’s advice for putting that plan together:

Collaborate with stakeholders and in-house experts

IT alone is not in a position to have all the knowledge needed to execute on even the most refined notification plans. Instead, “the lawyers, the security officers, crisis communication specialists and IT professionals all need to be lashed together at the hip,” Bahar said. “It takes their combined expertise and judgment.”

Bahar even suggests that your organization’s legal team might have to take a leadership role in the notification process. “The potential litigation and regulatory stakes are so high, not to mention the public relations and reputational stakes, so the lawyers need to be heavily involved,” he says. The legal team can help work out what is said and how it is said to best meet requirements and minimize risk—and they don’t need to be wasting time conducting time-sensitive legal research.

Many regulations require public disclosure of the breach, whether that’s to customers, shareholders, partners, and so on. This is where marketing and public relations teams can help with that communication. Here again, collaboration with the legal team is important. “What’s critical is that PR or crisis communications can’t be given carte blanche authority to release anything public facing without having a legal review,” says Bahar.

“By the same token, some lawyers don’t write in the way that’s going to be most comprehensible to the public, so the partnership between IT, crisis comms, security, and lawyers is again so critical,” Bahar adds.

To read the rest, click here.

Photo Credit:  Peter Sayer


Contact Us

Your name Organization name Describe your situation Your phone number Your email address
Leave this as it is