What’s the inside scoop on data breach response and preparedness? 🌳🌳🌳Canopy recently joined Punit Bhatia on The Fit4Privacy Podcast to discuss data privacy regulations, industry trends and lessons learned, dealing with unstructured data, and more. Here’s a recap:
How would Canopy define GDPR in one word?
Complex. It covers a lot of ground, so it has to speak to many different scenarios — from data breach response and notification to cookie consent. The sheer breadth of the regulations requires complexity. GDPR is important and regulators’ hearts were in the right place, even if the execution was a bit off.
What lessons can data breach response teach us about privacy preparedness?
Canopy doesn’t directly work with breached companies: our Data Breach Response Partners provide data mining, PII review, and entity consolidation services using our software. But because our software is used by service providers around the world, we have a global perspective and have witnessed some trends.
One of the key insights we’ve gathered on the data breach response side of things is that companies don’t know with certainty or specificity what’s in their emails and file shares, so there are large buckets of unknown, unstructured data floating around. Business email compromises (BECs) and ransomware attacks on file shares also make up the vast majority of data breaches.
Getting your arms around this data is critical to understanding your company’s risk, but for years, there hasn’t been a great vector into that. There have been two main approaches to a privacy audit:
- Having software crawl intranets to provide a sense of where data lives.
- Running tabletop exercises and surveys to gauge PII disclosure risks.
Both of these approaches are flawed and/or incomplete on their own. The first is difficult because privacy audits aren’t one-size-fits-all — they should be customized to meet each company’s unique needs based on their size, sector, jurisdiction, and other variables. The major flaw of the second is that most people don’t think about or know the details of their day-to-day data handling.
How can companies comply with GDPR’s 72-hour breach notification rule?
Data breach response is a new space. It didn’t exist ten years ago, so there wasn’t a bunch of robust software keeping up with this problem. When GDPR’s 72-hour notification timeline was passed, that served as the North Star: solutions providers knew what they needed to work toward in developing purpose-built tools and processes.
Understanding what’s in a potentially compromised data set is a daunting task. It’s not unusual for a 50 GB PST to contain 500,000 or even 1 million emails, and reviewing all of those emails for PII within 3 days just wasn’t feasible when companies were still relying on search terms and regular expressions, before Canopy’s AI-powered software came along.
What about ediscovery — isn’t it basically the same as data breach response?
In short, no. A few people on the Canopy Team have extensive ediscovery experience, so we know with specificity how these two areas are different. While ediscovery is adjacent and similar in some ways, it aims to answer a totally different problem:
- Ediscovery determines whether documents in a data set are legally relevant based on keywords, custodians, dates, and other variables that change case by case.
- Data Breach Response determines if there is PII in a data set (and if so, whose it is) based on set regulations that do not change.
Given ediscovery’s constantly changing nature, applying AI is tricky, so companies are stuck with more customizable — and therefore slower — tools and methods. Alternatively, because the definitions of “what is PII” and “what is a person” are consistent, AI is incredibly well-positioned to make Data Breach Response faster, more accurate, and more cost-effective.
How are structured and unstructured data handled differently in breach response?
Structured data is typically easier to process and data mine because you typically know the business reason and generally what types of data it contains. You may not have the specifics, but PII review will still likely be easier and faster.
Unstructured data, on the other hand, is the Wild West. But processing and data mining in breach response is the same every single time: As long as you know what sector(s) and jurisdiction(s) you’re dealing with, you know exactly what types of PII you’re looking for. So the problem is tightly defined, specific, and consistent, making AI the perfect solution. Because AI works so much faster and more accurately than humans, it is often the only way to assess massive or even moderately sized data sets in compliance with GDPR and other regulations’ strict timeframes.
What tips do you have for companies that have been breached?
If you have cyber insurance, they should be your first call. This is a space where your claims manager can guide you: they know which lawyers to call and what service providers to contact. Speaking of lawyers, make sure to involve legal counsel as quickly as possible as well. From there, you’ll want to get your data into a tool like Canopy’s Data Breach Response software to data mine and complete a PII review within that 72-hour window.
It’s also important to remember that compromises are now a question of when, not if. A 2021 Arctic Wolf survey reported that one-third of enterprises have suffered a six-figure data breach in the past year. So do your best to mitigate risk proactively, but be prepared with the right people, tools, and processes to respond quickly if you are attacked.
Want to hear more? You can listen to the full episode on Fit4Privacy’s website, or tune in wherever you listen to podcasts. Episode 58: Data Breach Response with Adi Elliott and Punit Bhatia originally aired on May 4, 2022.