Data Breach Response

The old adage that an ounce of prevention is worth a pound of cure has never been truer than in the context of data breach preparedness and response. As general agreement settles in to the fact that data breaches are essentially an inevitability for any firm with substantial data holdings-some 43 percent of companies suffered a breach in 2013 alone-the onus is on CPOs and privacy leads to studiously plan for the day when breach response is needed.

Along the way, your organization will be better prepared to prevent a breach from happening in the first place.

While there are a number of data breach guides out there, here at the IAPP we have chosen to focus on the many relationships and stakeholders involved in breach preparedness and response. Responding to a breach correctly involves a suite of people both inside and outside your organization. Understanding the best way to most efficiently utilize those people goes a long way toward ensuring that your response manages costs, manages business impact and puts the breach behind your organization as quickly as possible.

"Responding to a data breach is a lot like fighting a fire," notes Gerard Stegmaier, CIPP/US, a partner with Goodwin Procter. "Once the alarm goes off, it pays to have a plan and to work immediately to address the safety of anyone in the building, contain the fire and preserve the scene for the investigators. Safety comes first, then investigation and remediation. Keeping calm, being methodical and ensuring access to the right resources for management always ensures better outcomes."

Seems like an obvious truism, but, "Incident response preparedness is all over the map," notes Co3 Systems' Tim Armstrong. "Some organizations are well-prepared. But more often we find that even Fortune-500 companies that have spent millions of dollars on preventive and detective controls have significant shortcomings handling day-to-day security and privacy events, not to mention a major breach."

Oftentimes, that's because the organization hasn't taken the time and effort to develop the relationships inside and outside the building necessary for rapid and coordinated response.

In the following document, we offer up a way of getting the necessary relationships in place and then outline how best to leverage those relationships once the breach has occurred.

Part I: BREACH PREPAREDNESS: Setting up your incident response team and laying the groundwork for proper vendor management

Part II: LEGAL SERVICES: Your breach coach and beyond

Part III: IT SERVICES: Forensics is more than just figuring out what happened

Part IV: PR SERVICES: Making sure you craft the proper message for the intended recipients-including regulators

Part V: CONSUMER SERVICES: How to make things right, retain your customers and come out the other side relatively unscathed

Guidelines 01/2021 on Examples regarding Data Breach Notification

The European Data Protection Board welcomes comments on the Guidelines 01/2021 on Examples regarding Data Breach Notification.
Such comments should be sent by March 2nd at the latest using the provided form.

Please note that, by submitting your comments, you acknowledge that your comments might be published on the EDPB website.

The EDPB Secretariat staff screens all replies provided before publication (only for the purpose of blocking unauthorised submissions, such as spam), after which the replies are made available to the public directly on the EDPB public consultations' page. Unauthorised submissions are immediately deleted. The attached files are not altered in any way by the EDPB.

Please, note that regardless the option chosen, your contribution may be subject to a request for access to documents under Regulation 1049/2001 on public access to European Parliament, Council and Commission documents. In this case the request will be assessed against the conditions set out in the Regulation and in accordance with applicable data protection rules.

All legal details can be found in our Specific Privacy Statement (SPS).