LUP Student Papers

Forensic Breach Response in Compliance with GDPR

• Mark

Abstract

Modifications and new approaches for breach response and forensic investigations
for compliance with the General Data Protection Regulation, GDPR, is to be expected
in May 2018. This paper brings forth the conclusion that engagement from
top management is crucial in order to comply with the GDPR requirements. The
importance of having a vision and a strategy assessing the matters of breach response,
so that resources can enable procedures for an investigation, is articulated.
To enable appropriate countermeasures, a clear understanding of the regulation is
essential and presented in terms of severity of risk to the rights and freedoms of an
individual. Including required actions to take upon a breach and the time-frame
of each... (More)

Modifications and new approaches for breach response and forensic investigations
for compliance with the General Data Protection Regulation, GDPR, is to be expected
in May 2018. This paper brings forth the conclusion that engagement from
top management is crucial in order to comply with the GDPR requirements. The
importance of having a vision and a strategy assessing the matters of breach response,
so that resources can enable procedures for an investigation, is articulated.
To enable appropriate countermeasures, a clear understanding of the regulation is
essential and presented in terms of severity of risk to the rights and freedoms of an
individual. Including required actions to take upon a breach and the time-frame
of each obligation. Furthermore, the report discusses an approach to approximate
the number of individuals being affected by a breach, through looking at the intrusion
point. This is an essential step since every incident report that needs to
be communicated to Datainspektionen needs to assess the approximate number
of individuals affected. Assessing the effects of an incident through the intrusion
point-approach, is an initial step before the forensic analyst may define the exact
number of affected individuals. (Less)

Popular Abstract

Some of the greatest challenges organizations are faced by today are the information security threats, vulnerabilities and risks that all too often reach the state of an incident. Some may argue, the less detected the better. Reporting incidents in the era of the General Data Protection Regulation, GDPR, appears not to be in organizations favor. They may resemble the incident notification process with raising their hands on the highway, announcing they are driving too fast and would like to have a speeding ticket. Will applied sanctions foster absence of speed indicators, in other words, weak detection systems?

Absence of evidence is not evidence of absence. If not reported, sanctions will be higher and individuals might be at risks.... (More)

Some of the greatest challenges organizations are faced by today are the information security threats, vulnerabilities and risks that all too often reach the state of an incident. Some may argue, the less detected the better. Reporting incidents in the era of the General Data Protection Regulation, GDPR, appears not to be in organizations favor. They may resemble the incident notification process with raising their hands on the highway, announcing they are driving too fast and would like to have a speeding ticket. Will applied sanctions foster absence of speed indicators, in other words, weak detection systems?

Absence of evidence is not evidence of absence. If not reported, sanctions will be higher and individuals might be at risks. Breaches are becoming unavoidable and information that is kept might actually cause damage and personally detrimental impact if leaked. Organizations may face severe reputational and financial impact. GDPR, valid from 25 May 2018 when PUL, the current Swedish privacy protection law, will be abolished, addresses this matter through regulatory challenges. Well-managed breach response could save a company from losing both their customers’ trust and money.

Breach notifications should be carried out to the national supervisory authority, Datainspektionen, and when necessary to affected individuals. However, the process of identifying which individuals that should be reported to, what exact records that have been compromised, is commonly underestimated. No matter how good the forensic analyst is, if there are no logs to analyze or if the investigation starts too late, there will be challenges in obtaining the requested information. The organization itself should provide the analyst with the best feasible environment for performing an investigation, providing relevant contacts, information and grant access together with searchable and relevant logs. It is essential to discover the breach in time, to be able to contain it and narrow down the number of affected individuals.

This paper investigates the adoption of new and altered obligations in incident response and establishes guidance in accordance with GDPR on how to conduct the procedures for breach notification. The paper brings forth the conclusion that engagement from top-management is crucial. By having an information security vision and strategy enabling a proactive culture is the first fundamental step towards giving the forensic analyst the best feasible
environment for identifying what records that have been compromised. (Less)