With data breaches an increasingly common (and costly) experience, most organisations understand the need to put in as many defences as possible against cyber attacks. While those efforts might keep out most, a single breach can wreak havoc across an organisation.
It is therefore imperative that every business has a data breach response plan in place. Vital to any such plan is ensuring that the business is ready to notify everyone affected by it.
That’s not something it “ought to do” either, it’s a core GDPR requirement.
Some companies may need to reach their customer base quickly. This could mean millions of communications in a short space of time and email is one of the best ways to do this.
Who to notify
Within 72 hours of a breach, organisations are required to inform all relevant bodies. In order to do this successfully, it’s vital that the organisation’s Data Protection Officer (DPO) or person responsible for data protection, knows who to notify, and how to do it.
While GDPR applies across the EU, each country has its own data privacy body, and the DPO has to know who to contact and how.
Organisations can avoid a lot of pain by having this information readily available, rather than having to scramble for it after a breach happens.
It’s not just authorities that need to be informed either. Depending on the nature and scale of the attack, the organisation may also have to inform each of its customers.
While this is a GDPR requirement, it can also go a long way to mitigating the reputational and financial damage caused by a breach.
The power of email
When it comes to issuing these notifications, email is the most powerful tool any organisation has at its disposal.
As well as being an efficient way to notify thousands of people in the event of a breach (email is near ubiquitous), it is also ideal when the information is detailed and too lengthy to be included in a text message.
But in order for a breach notification to be effective, an organisation needs to have the email addresses of as many of its customers as possible.
Any organisation that doesn’t have its customers’ email addresses on record, therefore, needs to run a data gathering campaign, explaining why it is for email addresses and that this information will only be used for the purpose of incident notification.
Being able to send out a notification campaign is, however, different from being able to do so effectively.
The latter involves developing a template that meets good practice guidelines for email, and is tested across common devices. This reduces the time required to complete the campaign set up, and ensures that the critical information can be quickly inserted into the template.
Importantly, the email platform used should provide reports of time sent, successful/ unsuccessful delivery, and open rates, allowing the organisation to prove that the notification plan was expedited appropriately.
The notification plan
Knowing who to contact and having everything in place to contact them is just one part of being ready for a breach.
Every organisation should have a more detailed plan prepared that is agreed between all parties – marketing, IT, compliance and legal. This plan should include the following:
- A schedule of events – have a time plan that details each step of the notification process. The aim here is to get the notifications out within the required time. This schedule must involve any third-party processors contracted to help execute the plan.
An up-to-date list of participants – ensure that everyone knows their roles. Who is responsible for sending the notification? Does it sit with marketing or compliance? And who manages the plan?
A set of email templates – organisations should develop a set of incident notification templates. These templates should be immediately accessible, in order to insert the critical information and must be pre-tested across devices.
Ability to select/segment recipients – the organisations should compile and possibly segment its customer list. At the very least, it should have access to email addresses and first names to personalise any emails (who wants to receive a crisis message that says “Dear valued customer”?)
Budget – have a pre-approved budget assigned, so that the plan can be executed as quickly as possible. The last thing anyone wants is to have to go through budget requests and approvals when the clock is ticking. If a third party is involved in the notification plan, it’s vital that there’s sufficient budget to cover their fees.
Ability to send millions of messages and quickly – no organisation can go from sending zero emails on a platform to sending millions. The incident notification needs to be sent via a server that distributes high volumes, consistently, so that a large distribution doesn’t look like spam and result in deliverability issues.
Appropriate technical setup – the email platform must be optimally configured for the organisation’s notification needs.
Reporting – every organisation must be able to show evidence of its notification process, making it critical that it gets as much information as possible. It needs to show that the notification messages were sent within the timeframe, which were delivered and that it made every effort to get a message to the affected party – including repeat attempts to deliver to addresses that failed the first time.
No organisation can afford to leave its notification process to chance. When it comes to regulatory compliance and mitigating damage to the business, it’s far better to have it well mapped out, with time frames and elements, such as templates and budget, on standby.
Written by By James Hall, Commercial Director, Striata UK.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/