General Data Protection Regulation (GDPR)

http://www.legaltechnews.com/id=1202799328948/Equifax-Breach-Affects-143M-How-Would-GDPR-Have-Impacted-the-Disclosure?kw=Equifax%20Breach%20Affects%20143M:%20How%20Would%20GDPR%20Have%20Impacted%20the%20Disclosure?et=editorial&bu=Law%20Technology%20News&cn=20171002&src=EMC-Email&pt=Afternoon%20Update

Data Protection에 관심 있다면 꼭 읽어보시길. 

EU에서 데이터 반출시에 Privacy Act뿐 아니라 GDPR도 고려대상이 되었네요.

On September 7, 2017, Equifax announced a massive breach which seized control of the news the world over. By exploiting a website application vulnerability in Equifax’s system, hackers were able to gain access to the personal data of approximately 143 millon consumers in the United States, UK and Canada.. This included names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers and credit card numbers.

While this is yet another unwelcomed reminder to individual consumers that they must remain vigilant in their monitoring of unauthorized use of their personal information, for organizations, this may be their wake up call to engage in a review of their security practices and protocols. Had this event occurred under the General Data Protection Regulation (GDPR) (set to take effect May 25, 2018), the implications to the organization would be substantial.

For any organization collecting, processing, storing, or transmitting personal data of EU citizens that has not yet thought about or implemented applicable practices and protocols to comply with the GDPR and respond to security breaches under GDPR requirements, time is running out.

Data Breach Notification Obligations

Currently there is not a U.S. federal law on breach notification requirements, though recent events may result in consideration of one. There was a proposal in 2015 setting a 30-day deadline, but the law never received support, and instead, notification obligations for security breaches impacting U.S. residents are governed by a patchwork of state laws. The timing of the notification varies from state to state; some require notification within a set amount of days, while others state that notification be made in the “most expeditious time possible.”

In addition to impacting U.S. residents, the breach also resulted in the disclosure of the personal information of some Canadian and UK residents. Had the GDPR been in place, the notification obligations it requires would apply, even in post-Brexit UK. As noted in a recent statement of intentby the Department for Digital, Culture, Media and Sport, the United Kingdom will adopt the GDPR once it leaves the EU.

Under the GDPR, data controllers are required to notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of” a personal data breach. A data controller is permitted to delay notification beyond 72 hours if they provide a “reasoned justification” for the delay. The data controller’s notification to the authority is required to: (1) describe the nature of the personal data breach, including the number and categories of data subject and personal data records affected, (2) provide the contact information of the data protection officer, (3) describe the likely consequences of the personal data breach, and (4) describe how the data controller proposes to address the breach, including any mitigation efforts. While this information is to be provided in a single notification, should it not be possible to due so, one may provide this information in phases “without undue further delay.”

As set forth in Equifax’s notification to individuals, it became aware of the incident on July 29, 2017. If it had been 2018 instead of 2017 and GDPR was in effect, Equifax’s obligations to give notification would be very different. Depending upon the hour of discovery, Equifax may have been required to notify by July 31, 2017, which clearly is much earlier than September 7, 2017. Had the GDPR been in effect and Equifax had not complied with the notification requirements, Equifax could have been looking at an administrative fine of up to 10 million Euros or up to two percent of the total worldwide annual turnover.

Preparing for Breach Obligations Under GDPR

With the size and magnitude of security breaches escalating daily, it is becoming increasingly difficult for organizations to fathom how they would respond and mobilize an incident response plan in time to meet the stringent 72-hour notification requirements under the GDPR. The good news is that with nearly eight months until the GDPR goes into effect on May 25, 2018, organziations still have time to implement, test, retest, and validate their policies and procedures for incident response and to train their employees so they are aware and confident of their roles and responsibilities should an incident strike occur.

Whether drafting a new GDPR compliant incident response readiness plan or reviewing your exsting plan, organizations should consider the following:

• Develop or update internal breach notification procedures, including incident identification systems and response plans;
• Test and validate incident response plan, and ensure all employees understand their role in the event of a data breach;
• Work with IT team to make sure appropriate technical measures are in place, such as network segmentation;
• Review and update contractual arrangements to require any vendors to notify immediately; and
• Revisit insurance policies to determine the extent of coverage for cyber incident.