Multinational corporations are taking steps to more quickly detect and report data breaches, in part to avoid steep penalties under a sweeping set of regulations from the European Union.
The magic number: 72 hours.
The General Data Protection Regulation, which took effect in May, requires firms that collect data about European Union citizens to report a data breach to regulators within 72 hours of discovery. Organizations that fail to comply with GDPR face fines of up to 4% of their global revenue.
Other rules, such as a New York State Department of Financial Services regulation that went into effect in 2017, also require some firms to report breaches within 72 hours. But many more companies need to comply with GDPR, and the penalties are much more significant.
The fast turnaround creates a challenge for companies. “The biggest challenge is knowing enough about the incident to actually report it,” says Jim Routh, chief security officer at
“We have to do some analysis to figure out what the scope or impact is, and it’s often days before we have that identified.”
Aetna meets that challenge by informing regulators almost immediately upon learning of a possible breach and then updating them as the company learns more, Mr. Routh says.
Firms including Aetna,
Options Clearing Corp. and others are working to speed up data-breach detection and reporting procedures. Companies are rehearsing their breach responses to identify who needs to be involved and what actions may need to be accelerated. They’re appointing incident-response managers. And they’re expediting the communication process by prewriting news releases and scripts for the messages to notify regulators and customers about a breach.
It’s not like TV
The kinds of breaches that can happen vary dramatically, and so do the responses. “We do a number of cyber-related exercises assuming different scenarios based on what’s happening,” says Mark Morrison, chief security officer at Options Clearing Corp., a Chicago-based equities-derivatives clearing organization. “Not everything is going to line up as you think it will. This isn’t like ‘CSI: Cyber’ on TV where they solve everything in an hour.”
Companies’ confidence in their ability to comply with the GDPR’s data-breach notification rules
* Confidence level of 7 or higher on a scale of 1 to 10
Reasons cited most often for confidence
Incident-response plan has proven to be effective in providing timely notification
The necessary security technologies are in place to detect the occurrence of a data breach quickly
Source: Ponemon Institute survey of 1,003 executives, directors, employees and consultants in the U.S. and Europe in departments including IT, IT security, compliance, legal, data protection and privacy, conducted in February 2018
Meeting a 72-hour deadline takes planning, says Michelle Dennedy, Cisco’s chief privacy officer. The company goes so far as to track how long it takes designated executives to dial in to a conference line to discuss a cybersecurity incident. It can take just a few minutes or “well over an hour,” depending on the number of people involved, Ms. Dennedy says.
At Aetna, discovery of an attack triggers an incident record describing the event as a phishing attack or another kind of hack, says Mr. Routh. The record immediately goes via text message and email to an on-call security team, which assigns oversight for the incident to the internal security group most experienced with that type of problem. That team then determines which business groups at Aetna should be informed about the incident, says Mr. Routh.
“For example, if there’s a news article that says there’s a major vulnerability in a commonly used mobile device, our job is to figure out the impact of that for our clients,” he says. “That particular scenario involves consumers, the reputation of the brand and potentially shareholders because of the financial impact. All of that screams for escalation, and that report could go to the board, CEO or audit committee.”
It also has become commonplace for firms throughout the private sector to use software to detect signs of a data breach at a partner or customer to contain an attack before it spreads, says Mr. Morrison, of Options Clearing Corp.
If OCC detects a breach originating outside the company, its crisis-communications team and customer-service group draw from a prewritten script to notify the external firm about the problem via email or phone calls, says Mr. Morrison. OCC is installing secure cloud-based communication services to contact customers should OCC’s own email be compromised, he says.
At Cisco, an incident-response manager coordinates the company’s actions. That manager organizes frequent phone conversations in which Cisco executives in security, privacy, customer service, technical support and other departments discuss hypothetical breach scenarios, says Ms. Dennedy.
A typical phone rehearsal might be focused on a ransomware attack or a system misconfiguration, which could result in unprotected files, she says. In each practice session, Cisco tracks how long it takes each executive to dial in to the conference line, and how long it takes the group to decide what to do, she says.
“For a straightforward incident, like a ransomware attack where you have all the information, you can figure out what to do within an hour,” Ms. Dennedy says. “If it’s more complicated, where you need to decide if we’re going to start taking our products offline, it can take days.”
Cisco stepped up these exercises after recognizing that cyberattacks and security regulations are a serious business risk, she says.
Matt Palmer, senior director of cyberrisk management at Willis Towers Watson PLC, says the risk-management firm has written skeleton news releases for the communications department to fill out in the event of a breach. The company also has outside customer-service call centers standing by should Willis Towers Watson customers learn of a breach and call seeking assistance, he says.
“Worrying about these things once a breach happens is too late,” he says.
Mr. Stone is a Wall Street Journal reporter in New York. He can be reached at firstname.lastname@example.org.