The phases of a security incident: having a Response Plan (I)
Drafting a response plan, or in other words, having a clear understanding of what to do if our company suffers a security incident is crutial. In this post, we start a series in which we will discuss the phases you should anticipate as a company in case you fall victim to a security incident. In another post, we talked about what to do if a security incident affects you as an individual.
The reality is that more and more types of companies (not just large ones) are victims of incidents or security breaches, and unfortunately, few organizations are exempt from being affected by a security incident at some point. From internal data leaks to malicious external attacks, the variety of cases continues to grow, and it is essential to know how to act. Today, we focus on the first phase of responding to a security incident: “drafting a response plan.”
However, there is a basic preliminary question, which is the difference between an incident and a breach of security. A security incident is an event or situation where the confidentiality, integrity, or availability of personal data is affected. To speak of a breach, which has consequences under the GDPR, there must also be unauthorized access or acquisition of that personal data.
Keep an Updated Record of Processing Activities
A security incident response plan requires keeping your record of processing activities up to date, as it helps you, among other things, maintain an updated inventory (or data map) of what types of data you process for a specific service, which applications you use, or which providers (if applicable) are affected by a specific incident. Not having the record of activities updated makes it more difficult to take action once the incident has occurred, as it requires conducting an analysis that should already be done, regardless of whether an incident has occurred.
Draft a Security Incident Response Plan
Experience tells us that when a security incident occurs, haste and urgency are poor advisors, and the lack of a pre-established response plan often leads to mistakes or omissions that can have unintended consequences. A response plan should contain clear and concise instructions on what to do if we suffer a security incident. This response plan must be known by those who will need to participate in its implementation if the need arises. Each company or organization is unique, so you should adapt the response plan to your particular case. Unfortunately, no matter how small your company is, it is not exempt from experiencing a security incident.
In addition to the economic cost that may result from not having an adequate response plan due to improvisation, such as unexpectedly hiring experts, its absence can increase the penalty risk from the competent Data Protection Authority, as a lack of response or an inadequate response may highlight breaches of the GDPR and LOPD:
- Breach of the duty of confidentiality.
- Failure to have adequate security measures.
- Failure to communicate to the DPA or to the affected parties (if required by the DPA) about a security breach.
- Incomplete, late, or defective communication of a security breach to the DPA.
- Lack of documentation of a security incident.
- Failure to communicate a security incident to the affected parties.
Who Should Know the Response Plan?
The people or departments that need to intervene in the event of a security incident, and therefore must know the response plan, will vary depending on the size of the organization. However, in general, the following departments or individuals will undoubtedly have a role to play:
- Data Protection Officer: if you have one designated, they should have access to the record of processing activities to quickly identify which resources have been affected by the incident. They will also play an essential role in communicating the breach to the competent Data Protection Authority.
- Management or CEO: in major crises caused by security incidents, the role of management or the CEO must guide the actions of the rest of the organization, making their response crucial for other departments and individuals in the company.
- Marketing or Customer Service Department: they usually depend on the communication of the incident to the affected parties. It is essential to consider not only the communication but also what will happen if the affected parties request more information about the incident: they cannot receive contradictory responses from different interlocutors.
- Legal: the legal team understands the legal requirements in case of a security breach, as their role will be crucial in deciding whether to communicate the incident to the competent authorities. They should also be aware of contractual responsibilities acquired, for example, by service providers involved in the incident.
- Finance: they will need to calculate the economic impact that the incident may have on the organization and, if necessary, seek or unlock the necessary funds to mitigate its adverse effects.
- Information Security: they will play a fundamental role in investigating the incident, with the primary goal of isolating, eliminating, and preserving the affected systems.
- Human Resources: if the incident affects employees, their role is essential. Even if it does not, they must act to provide the necessary information to employees and, if needed, to adapt and create specific training plans that the incident has shown to be obsolete.
In conclusion, being prepared for how to act in the event of a security incident in your company is a significant part of successfully responding to it. Unfortunately, we are all exposed to various types of security incidents, so in addition to taking logical security measures, it is crucial to focus on what entirely depends on us, and preparation is undoubtedly the first essential step.
Author: Victor Rosello, Lawyer.
Information on data protection
Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision.
Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.