GDPR Data breach notification services: 9 questions to ask service providers
When organisations investigate their obligations under GDPR one of the most significant challenges is the mandatory nature of the breach notification process. Organisations have 72 hours to inform regulators and notify data subjects as soon as possible thereafter. This blog look at some key considerations when researching GDPR Data breach notification service providers.
Data Breach Notification Services – responding when under pressure
In the US, where mandatory breach notifications have been law in some states for a while, there has emerged an entire industry of service provider companies who will help with this process.
Most organisations are not, as a rule, in the business of contacting all their customers en masse or setting up call centres and other arrangements to cope with what, in many cases, can be an urgent (and temporary) situation with high risks if not handled well.
Why is the service so vital to organisations?
Forrester research, in their recent Wave™ on breach notification services (click here – gated) highlights three reasons that can be summarised as:
If you have a breach you need to keep the public on your side and be the “good guy” who has been attacked, rather than being the “negligent custodian” of data who has lost it.
Some cyber security insurance policies may mandate that you have this kind of provision in place to constrain the costs and impacts of any pay-out.
The timelines enforced by GDPR – and similar regulations – simply don’t allow the time to mobilise this kind of capability from scratch quickly enough.
What data breach notification services do
There are varying services that breach service providers offer. Which of these are most key may depend on the structure and type of business you operate – for example, if you have a large call centre it may be that inbound queries could be handled along with normal volumes (as long as the number of lines and operators can keep abreast of potentially every one of your customers getting in touch at the same time).
Only you will know which of the following services are tasks you can do in house and which will have to be outsourced:
Sending electronic or paper mail-outs/notifications
Probably the most fundamental service, if you need to email or write to a large number of people quickly to advise them of what has happened before the news media and social networking sites do the job for you.
Your existing systems may not be capable of generating and sending a large number of emails or letters in a short space of time and you may want to give people details of a specific web site or call centre to go for help, rather than having them clog up your normal systems and customer interactions. Sending emails en masse might be free but writing and mailing letters certainly isn’t, so you want this done efficiently.
Call centre provision
When a large number of people are going to be calling to get information, obtain advice, change passwords, reset accounts or complain you need infrastructure and people quickly. What you don’t want is to provide a sub-standard service by leaving phones unanswered or keeping people on hold “because their call is important to you”.
Identify theft/fraud protection
Where personal accounts or credit card details may be exposed, or if you have laid open information that is used for validation/ID across multiple sites (mothers maiden name, date of birth, etc.) then your customers are at risk of fraud, or (most critically) may feel that they are. For the cost of a few £/$/€ per user you may have to establish a free theft protection policy.
How many serious security breaches have you had? Hopefully not too many.
When you are planning what to do and how to handle a breach you are going to want to involve someone who has experienced one to understand what works and what doesn’t, how to tie together the different streams of your business, what stakeholder sign off to get in advance and what to decide on at the time. In addition to the plentiful law firms and consultancies, most breach notification providers will offer services ahead of time to help get you prepared.
Forensics/Technical professional support
What happened? At first you may not know – patterns of fraud might be emerging, someone may claim to have your entire customer database (whether they have or not), or a list of accounts and passwords might have been published.
You are going to have answer questions (see our related blog post) and you might not have the technical wherewithal or bandwidth to answer these. Skilled technical forensics teams, as well as being available independently, might also be something you can pull in from your breach notification service provider as part of the invocation.
What laws have you broken? What laws has your attacker broken? What liability to your customers and third parties might you be looking at? What controls on lost intellectual property and cease-and-desist actions do you want to take?
Crucially, are these questions your in house counsel or “regular” legal team can help you navigate or are you going to want specialists?
All good questions – but your market sector and customer demographics, as well as the nature of a breach, might determine what specialist help you need. Your breach service provider might again be a place to seek this support.
If you have a breach and it, or you, are worth of any kind of media interest then you need to be PR ready. This may (once again) not be best handled by the agency you normally use for product launches or special offers because the industry press you normally talk to might be different from the mainstream press or cyber security press that are suddenly interested.
The cyber security breach and crisis management landscape is littered with the hulks of past failures – Talktalk didn’t handle the press that well after their breach, when they didn’t know the answers to questions like “how many people were affected” the press just assumed all their customers were and dragged a figure of 4 million out of their annual report.
There are security bloggers who, when they find out about a breach, will ask for an interview with the CEO within 24 hours or they’ll go public and pretty much write what they want. Don’t take a chance with this – assume you are the villain unless you can convince people you are the victim.
Are you the good guy or the bad guy when a breach occurs? Are you victim or villian? Either way you are holding a ticking time bomb if you don’t response quickly.
The key questions you need to ask of data breach notification providers?
If by now you are wise or fearful enough to want to look into retaining these kinds of services – and there are multiple providers with different capabilities, pricing offerings and pros and cons, here are some questions to ask as part of your assessment:
What services can they provide and what can you do?
You need to understand what services they provide and what services you need, as well as how well equipped you are to handle elements of the process yourself. As explained above you might already have a call centre, but not one that can cope with a sudden influx without affecting other customer operations, or a PR firm but not one that has any relationship with the technical or cyber security press, or experience in handling this kind of crisis.
What is the biggest breach they have handled (or can handle) and what is the smallest size they can scale down to?
How many people (i.e. the raw number of affected customer/subscribers) do they think they can cope with and what size of breach have they successfully managed? This is definitely worth knowing as your business (and hence any breach) may or may not fit within this.
Also, not all breaches are great long lists of customer records – you might lose one person’s data, but “the whole shebang” i.e. an entire customer medical history file, or the personal and other details for a celebrity. You don’t necessarily want a whole call centre invoked if you are dealing with a single person, or even a small number, but you might want help in other areas – legal defences, PR support etc. – it might not be a “per affected subscriber” transaction.
What verticals/sectors do they focus on or have knowledge of?
Different verticals have different challenges. Finance data when exposed can lead to fraud, losses, stopped credit cards – problems with numbers attached to them. Medical data or personal information might not have a direct mapping to financial cost but could be embarrassing, sensitive or just very hard to change and difficult to “get back into the bottle”, compared to account passwords and credit card numbers that can be easily reissued or reset when exposed.
As an affected customer, if my credit card number is breached by a retailer I can get the money back and a new card. If the retailer takes care of all of that for me so I hardly notice, and I get credit theft insurance for free, maybe I’ll forget it and give them the benefit of the doubt. However, if a company exposes my medical history, which may or may not contain elements that are embarrassing, there is no way to change the fact that it has been revealed or made public and “un-breach” it.
Finance, telecoms, retail, medical, government and social networks – all these industries have different challenges and impacts and having experience in the sector you occupy will be key for your breach notification and incident services providers to achieve the best result.
How do they themselves protect (your) data?
One of the biggest challenges of the modern cyber security landscape is how you protect customer or subscriber data when it is sent to third parties for processing storage or some other business purpose. There have been breaches caused by failures of third parties and there is a whole “third party assurance” risk domain.
Your breach notification provider, who is a third party, is going to be provided with a list of all your customers, contact details, account numbers for communications or credit/fraud/identity theft insurance purposes. In the normal run of things your security team would want to review and assess, even audit any such arrangement. Ahead of time, before the 72 hour GDPR security breach clock starts ticking on a data loss – ask your third party breach notification provider any questions you would normally want to ask a third party supplier you are supplying with data. They are just businesses like any other and not infallible, just ask Equifax.
Is the data breach notification provider approved by your insurance company?
If you have cyber insurance, make sure you have chosen a provider that your insurance company will support. Consider how you will manage the risk of the provider letting you down in some way when that breach occurs. If the choice of supplier was your decision in isolation and your insurer wasn’t consulted or supportive of that choice then pay-outs under your cyber security policy might be harder to claim.
Are their strengths in outbound communications or inbound call centres?
Different suppliers might have strengths in either of these areas, and who you choose could depend on what your breach strategy is likely to be – are you going to set up a helpline, or are you planning on sending out a notification with a set of instructions.
Choose a supplier who will fit will with your sector, customers, the nuances of your business and the way you, as a company, prefer to handle things.
What locations can they/do they service?
It is worth ignoring for a minute where your business is based and thinking about where your data is and where your customers are. If you are an overseas business but trade with EU citizens then you will be under the remit of GDPR as well, potentially, as local laws and regulations and similar regimes to GDPR in other territories too.
The locations you service also affects how a breach is handled – sending paper letters by mail might be too slow if they have to traverse the globe, plus postage costs might become more onerous. Phone calls to international call centres can be expensive, especially if customers end up on hold waiting to be serviced or if the conversation is to reset their accounts or explain what the breach means, all of which may take a while. If you do have a large international clientele you will need to consider how your service provider will provide local call access numbers or Freephone/toll-free access.
Also think about the locations in terms of time-zones. If you are UK based and have customers in AsiaPac or west coast US then the social media storm associated with a breach might start while your UK personnel are out of the office. You might be able to take orders or provide normal services 24 hours a day, but can you, or your service provider, respond to a breach or large scale customer complaints that occur overnight, in local time.
Do they provide ID theft insurance and how does that work?
In many cases of a breach, there is a need to provide identity theft, fraud or credit monitoring services. Can your service provider help with this and to what extent? How good are their policies?
It may be that you don’t feel your particular services are financial in nature and so this won’t apply. However, if you capture information like dates of birth or other information for account/password reset questions, then you have information that while not financial, can be used to establish new accounts, steal identities or commit fraud.
Even if you have just lost passwords you may cause fraud risks on other sites as people routinely reuse passwords on other, possibly more financial, service portals – the compromise of a password from a mundane/low risk information service might therefore allow access to a higher risk email or bank account.
It may be possible to argue that this isn’t your problem, that users shouldn’t reuse passwords; but if there has been a breach and it is your fault then for the duration of the incident response, it is your issue.
Do ask about policy types and service levels, as well as terms and conditions. Make sure where there is a cost involved you don’t over or under protect, and don’t fall into the trap Equifax did where the terms and conditions of their own policy that they offered to the victims of their own breach were worded a bit too tightly for the affected members of the public who actually read the terms and conditions.
Ask your service provider what happens if the customer/subscriber already has a policy, conceivably with the provider themselves. Having two policies of exactly the same type from the same insurer doesn’t feel like much of a benefit, but also probably isn’t worth spending money on twice (for anyone).
Can you extend existing policies the person might have rather than taking out a whole new arrangement, which will reduce your exposure and the number of policies the end user has to keep track of? Can you provide a 12 month policy (to be fair to others) but have it start when the existing one runs out? Can you offer an alternative where an affected customer already has cover and doesn’t see the value of getting it twice?
What data, information, logs and records should you collect to get the most out of their service?
If there is information you should collect from customers/subscribers in order to make the notification/account reset/credential reissue process easier then clearly you want to collect this up front. For example, if the breach communication process can use text messages to send notifications or out-of-band password resets then collecting mobile numbers is obviously a good idea – but not one that might be obvious if your normal business operations don’t require it.
Similarly, if your breach response is going to want to examine systems logs, records of transactions, user activity, network traffic or past security operations, alerts and updates – then make sure your monitoring and analytics system gather this data and keep it within a central, protected repository. At the very least this stops you having to waste time and resources gathering it together urgently when a breach occurs, it may also mean that you can answer questions like “who was affected” much more easily and limit the PR and reputational damage if this number is actually quite small.
Data Breach Notification – The 3 Key Points
In summary, there are three take aways’ from this post:
You will almost certainly need a data breach notification/service provider at some point.
It really comes down to a choice of whether you want to set that arrangement up now, in advance; in a calm and commercially savvy way where you can assess providers, agree services, negotiate a price and assure yourself that they can provide the kind of facilities you want in the way you want them delivered without increasing the risks you face. Alternatively, if you want to do it later when there is a panic on.
It is now widely accepted that most companies will suffer a breach at some point.
The best way to minimise the impact of a breach is to handle it well. You need to make sure that the communications, compensation, tone of messages and coverage of markets, channels and demographics of your customers is done right – as mistakes can damage reputations almost as much as much as the breach itself might have done.
Commercial arrangements can be difficult to get right if you are in a rush.
In the event of a breach, time is against you – 72 hours (under GDPR) doesn’t give much of a window to diagnose, understand and decide what to do. Equally it gives very little time for price negotiation, contract review, third party assurance or references with a new supplier (as you would normally do when entering into a new commercial arrangement). Leaving this procurement until you have had a problem significantly weakens your bargaining hand in retaining these types of solutions.