GDPR regulations require all organisations to report certain types of personal data breach to the Information Commissioners Office (ICO) within 72 hours of becoming aware of the breach. Failure to do so is punishable by a fine (a maximum 4% of turnover). The ICO can also discipline organisations in other ways, such as enforcement actions and audits – so it is essential to have a plan in place ready to respond.
Critical 72 hours
So what is expected in the 72 hours prior to reporting a breach? What comes next?
The timeline below illustrates how the 72 hours following a Cyber-attack should play out to contain the breach, avoid penalties and minimise business disruption and reputational damage.
This is of course only the beginning of what can be a hugely expensive and time consuming process. System breaches can affect an organisation for weeks and sometimes months, with significant ongoing disruption and costs.
How does a Cyber Insurance policy help?
Cyber insurers’ claims teams deal with data breaches on a regular basis and have the experience to help guide effective decision making and fast action.
They will support their policy holders through the response process, make relevant legal and technical experts available as required. They will also cover the expense of fixing the breach and notifying anyone whose data has been lost.
Blue chip corporations may have much of the required expertise in house, but even so many buy cyber cover. Most SMEs lack this expertise and will flounder without expert help. Are you confident your business can react effectively to a data breach within the prescribed time line?
Speak to your broker about cyber cover to ensure you can…
Beneficial links to help expand your knowledge on GDPR