GDPR and 72 Hour Breach Response

For most of us, the ease of accessing our money – Ipay, credit cards, PayPal – has been a ubiquitous feature of the internet age. Rather than carrying around a wallet, most of us utilize our phones, computers and apps to charge for goods and services. It is not without merit to imagine that, in a short period of years, instead of the old saying, “cash is king,” we could instead ask, “what’s cash?”

With this convenience, however, comes inherent risk. If you own a credit card, it is likely that you were one of the 140+ million people that were affected by the Equifax data breach late in 2017. According to Equifax, “The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.”

Yet, aside from the sheer magnitude of the breach – affecting nearly American citizen with a credit report – the real headline is the actions of Equifax in notifying the public at large. According to CNN, “U.S. companies are required by law to quickly report any new information that could materially affect its financial outlook. The fact that Equifax discovered the breach on July 29 but did not disclose the problem until Sept. 7 raises questions about whether it followed those laws.”

With the rapidly approaching implementation of GDPR, however, companies are under strict guidance with how long they can wait to notify customers of problems, particularly a breach. According to the language of the law, “in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

There is NEVER a good time to have an accident or a breach, but the stark truth is that they happen and the real question is how companies are able to deal with the implications. Clarip is not only a privacy and consent management platform but also contains one of the largest known breach databases available in the market today. Scoured from publicly available sources – as well as the Dark Web – Clarip is able to monitor whether one of your vendors/suppliers is experiencing a breach and notifies you immediately. That way, you can protect your company from any further data sharing and immediately “flip the switch.”

For CISO’s, CIO’s, and CPO’s, the question is not whether a breach is likely to happen but rather, when it is going to happen. As such, visit us at www.clarip.com and schedule a look at our breach database. In the event of a breach, time is critical and with the aforementioned guidelines mandated by GDPR, it is even more so. Talk to Clarip about your breach response action plan – you won’t be disappointed!

More from Clarip:

Are you ready for the new CA privacy law? Start preparing compliance efforts with Clarip for the California Consumer Privacy Act. Enforcement starts January 1, 2020 so better start planning funding in your 2019 budget now.

Read the most recent posts on the Clarip Privacy Blog.

Learn more about the Clarip consent management solution.

Find more resources about GDPR, data privacy and the future ePrivacy Regulation.