Hiscox comment on new EU data protection law and data loss alerts
February 2012 by Hiscox Groupe
Following the announcement of the new proposed European data protection law, Matthew Norris, e-risk and privacy expert at specialist SME insurer Hiscox, comments.
“The data loss notification aspect of the new proposed law is part of a wider picture of increasing pressure on companies to be able to detect and respond to data breaches quickly. Some businesses have suffered high profile data losses in the past year and the speed and response in such cases are crucial in limiting the adverse effects of a breach.
“The proposed law directs that certain internet businesses need to contact regulators within 24 hours after an attack, and data subjects "as soon as reasonably feasible" but it can be challenging for a company to be able to report on a complicated data breach within that time. Realistically many breaches will still be in the process of being forensically investigated at this stage, making it all the more essential to have an incident response plan agreed and in place. This means the business will be able to respond with as much detail as possible in as short a period as possible. This is especially important to minimise damage to the brand and avoid potential penalties."
It is essential for businesses to have a resilient incident response plan to minimise the damage in the case of a data breach. In preparation for a breach such a plan would include:
• Nominate an individual who is responsible for swiftly initiating contact with the forensic company in the case of a breach
• Determine when it is appropriate to involve a lawyer, for example to maintain legal advice and litigation privilege if the forensic report reveals adverse facts
• Nominate a forensic company to work with in the case of a breach
• Agreement with the forensic company on the type of instructions and contract it requires to start work
• Agreement of the hourly rates from the forensic company as part of the contract.