It has already been over a year since the General Data Protection Regulation (GDPR) entered into force. Fox-IT partnered with the Ten Holter Noordam law firm and Marsh Nederland to organise the event “A year of GDPR in the Netherlands: Cyber risks and data breaches” and look back on the implementation of the EU regulation in Dutch law. What has changed over the past year in terms of personal data processing and storage? How do you report a data breach? And how do you handle a cyber incident? That is what this day was all about.
The event was opened by Joris van Benthem. Van Benthem is a lawyer by profession, working for FC Feyenoord in Rotterdam. During his presentation, Van Benthem talked about his work at Feyenoord and which aspects of the club are affected by the GDPR.
The opening was followed by a plenary session with a discussion panel. The panel included Gina Doekhie from Fox-IT, Emiel de Joode from Ten Holter Noordam and Sjaak Schouteren on behalf of Marsh Nederland. The panel members discussed various aspects of data breaches and offered their opinions based on their professional background.
The day closed with workshops provided by the three organising parties. The summaries of these workshops are presented below.
Workshop: A year of GDPR in the Netherlands: Cyber risks and data breaches – Fox-IT
Ivo Pooters and Gina Doekhie from Fox-IT gave an inspirational workshop based on the following principle. One Friday afternoon, Beekland Ziekenhuis was confronted with a Tweakers article stating that the personal data of more than 5,000 patients had been exposed. What should you do in such a situation? Who will take the lead? How do you resolve the breach?
These issues and others had to be addressed by the participants in the form of a Kahoot quiz. They went through the complete cycle of discovering a data breach all the way to the final evaluation of the process. In each step, participants were confronted with new information, accompanied by questions on which steps to take next. For example, it became clear that the data breach was caused by a web application managed by an external IT party.
Thanks to the quiz format, the participants were actively engaged in the workshop, which resulted in lively discussions and learning experiences. In addition, three people won a great prize to take home with them.
The takeaways from the workshop were as follows.
Prior to the incident
- Create a technical processing register that includes the following information:
- Which systems contain personal data
- Which security measures have already been implemented
- The scope of the data
- The data formats used
- Set up detection options through a SOC/SIEM
- Review log configurations for the IT environment
- Log retention
- Log policies
- Who, what, where, when?
- Establish this in an agreement with the administrator of the web application
During the incident
- Conduct a full investigation and avoid premature conclusions
- Have the investigation carried out by an expert forensic investigation agency
- Ensure the process follows an incident response plan
- Assemble your incident team
- Assign roles and make them clear to the people involved
After the incident
- Use the lessons learned from the incident report to implement security measures and to be better prepared for the next incident
- Identify and document any vulnerabilities
- Evaluate the process
- Plan your next steps, for instance:
- Implement multi-factor authentication
- Enable full disk encryption
Workshop: Data breaches and GDPR – Ten Holter Noordam law firm
During the workshop, the Ten Holter Noordam law firm covered the legal aspects in the stages before, during and after a data breach.
The three focus areas from the workshop are:
Before – identify the risks of processing activities; make sure you are GDPR-compliant.
Prior to a data breach, an organisation needs to take measures to comply with the GDPR. Key aspects here include accountability (for the data controller), privacy governance, security, data processors and prevailing agreements, and the rights of the parties involved.
During – arrive at a good risk assessment for any notification within a 72-hour period.
You are dealing with a data breach when it involves a security incident that violates the confidentiality, integrity or availability of personal data. It is mandatory for a data processor to report a data breach to the data controller as quickly as possible. A data controller needs to report a data breach to the Dutch Data Protection Authority within 72 hours, unless it does not pose a risk for the parties involved, or a report is not (yet) possible. If the incident cannot be reported yet, the data processor needs to justify why, and can potentially submit a temporary report. It is therefore key for an organisation to be able to assess the risks of a data breach.
After – implement a correct data breach registration and modify protocols and policies where necessary.
In the stage after a data breach, the organisation needs to focus on the correct registration and wrap-up of a data breach. This registration needs to include all reported and non-reported data breaches and the reasons underlying the deliberations that led to the decision not to report the data breaches. It is also key to learn from the data breach incident: how do I prevent similar situations in the future; are employees sufficiently aware of the escalation procedure / data breach protocol; and what is the organisation’s connection to the data processor?
Cyber risk management deserves a holistic approach; remove the barriers between silos
At Marsh, we have many who that can help you identify and understand your cyber risks. We support organisations in qualifying, quantifying, mitigating and insuring cyber risks.
Cyber and data security does not begin or end with your ICT department. Ensuring that your organisation is more resilient to cyber risks in a sustainable way requires a holistic approach.
The GDPR is also not the sole jurisdiction of ICT or Legal; you also need to involve Marketing, HR and Finance. That is the only way to incorporate cyber and data security into your business model. These factors should not just be considered a hygiene factor, but viewed as a distinguishing USP. That is not just what customers expect; you can also win over departments such as Marketing, Sales and R&D.
Despite all the precautions, we know that 100% data security is wishful thinking. Digital risks increasingly have a major impact on your organisation. In addition, customers are increasingly critical in monitoring how you protect their data. Cyber insurance can be a very good solution to minimise the impact of these developments.
But the first step is always to investigate where a cyber incident would actually make an impact, and consider how to reduce that impact. Then you can decide whether or not to mitigate the residual risks through insurance.
Cyber insurance will cover the consequences of hacking, which includes data theft or system breach, data loss and operational shutdown, among other risks. The insurance policy will also provide compensation for the costs of crisis management and the use of ICT specialists.
The Three Commandments by Marsh
Make sure to involve your entire organisation in identifying what areas would have the biggest impact for your organisation. You can only invest your time and energy, so make sure you invest it in the right things.
Get support from the right parties, and consider whether or not you want to solve this within your own organisation.
Make use of the 24/7 crisis management options covered by the cyber insurance policy and look at the big picture. What impact will your actions have on your entire organisation?
Learn from the incidents: Create a learning organisation, and adapt your risk management to the changing circumstances. An organisation and its risk profile often change faster than policies can keep up with.