Overview
Cybersecurity Law Report quoted Charles Helleputte in a January 20 article titled "Disputed Twitter Fine Offers Breach Response Lessons." The article discusses Ireland's first General Data Protection Regulation (GDPR) fine against a big tech company for reporting a breach late and inadequately documented its actions, including missing the GDPR's 72-hour deadline.
Helleputte says most companies are making disclosures in phases. "Virtually no one can make one notification with a final stop. It's just impossible to be ready with all of the facts," he adds. Nonetheless, "the [supervisory] authority may question why the company could not identify within a reasonable time frame the magnitude of what is happening."
Helleputte says the authorities expect to see the company taking a systematic, planned approach to examining the risks to data subjects. "Companies should have a sound risk-scoring methodology to make sure that they can" concretely explain their understanding of the breach's potential for harm. When a company adopts an external methodology, regulators expect the company to tailor it to its organization's features, Helleputte adds.
The full article can be read at Cybersecurity Law Report (subscription required).