Data breaches used to be something we were scared about. Now, they happen nearly daily. The high number and the far reach from the neighborhood kindergarten to the city trash collection, seem to baffle our minds every day.
And, as with many other things, the frequency and scope that we are facing also has made us numb to the dangers and cost. What would have upset a nation a decade ago, barely registers as a blip. The new normal, then, is the scary state of being.
Breaches also are very expensive. You can use our Breach Cost Calculator, to get an idea of how expensive they can be.
Also for edification, CSO online just recently published the 17 bigest data breaches of the 21st century. You will find many a name you recognize on that list.
The Day-2 Problem
So, the conclusion to draw here is not that we will not be breached, but when. In that case we should further ask the question of “what can we do to better handle breaches when they occur”. After you have found the leak, stuffed it, have collected all the info on impacted customers. What now? At XcooBee we have labeled this problem as the Day-2 Problem.
Ideally you would have an incident response plan, but who really believes that our neighborhood kindergarten has or had one?
The Plan
Just for completeness here is a good overall response to do list:
- Identify and document internal breach notification procedures
- Configure incident identification systems
- Review/Create incident response plan
- Test incident response regularly
- Work with IT to ensure that data is unintelligible in case of unauthorized access (
- Buy good insurance and make sure it covers you
GDPR Specific Changes
Under the new EU GDPR guidelines you also have to notify your customers without 72 hours of discovering a breach, so the likes of Equifax cannot sit on that information and trade stock in anticipation of the stock price declining.
- Data controllers must report breaches to their supervisory authorities as well.
- In some cases, affected data subjects must be informed following specific GDPR provisions.
- Data controllers must maintain an internal breach register.
- Non-compliance can lead to high administrative fines.
- As things stand, the specific breach notification regime for communications service providers, set out in Commission Regulation 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC, still applies.
Managing the Breach Notification Cycle
According to IBM Security research (2017 Ponemon Cost of Data Breach Study) the US has the highest notification cost per breach incidence. However, at XcooBee we are working actively to make this an easier and less expense process. We are building tools to help you notify your users, handle their responses, notify authorities, and even automate remediation tasks for your users on our network.
Our goal is to give our users a way to execute their plans with the tools and services that make a bad situation just a bit more bearable. Tools that our neighborhood kindergarten can use.
Please keep checking our pages as we share more about our platform and its features.