Breach Notification Rule? GDPR 72 hrs - Equifax took 40 DAYS

breach notification rule_ GDPR 72 hrs - Equifax took 40 DAYS.jpg

By Simon Townsend

Regardless of whether an organization or country is part of the EU and/or needs to comply with the General Data Protection Regulation (GDPR) and its 72-hour breach notification rule, taking 40 days to report a breach is arguably morally incorrect and unacceptable in today's world. While not the largest breach of all time, (that would be Yahoo!), because of the recent breach at Equifax, 143 million US consumers are now left worrying whether their personal identifiable information is in the wrong hands. In addition, it has been reported that both Canadian and UK data may have been included.

Lots of people will question how this breach occurred and what could have been done to prevent it. Reports suggest that the breach took place via a vulnerability on a website application which arguably should have been patched and or secured better. However, the real issue here is the time taken to respond and kick off the remediation process. The reason it took 40 days to report is unknown but it will no doubt come down to a common challenge that many organization face when IT teams and the business are not aligned or are not in sync when it comes to technology, processes and workflows. IT alone is typically a silo'd set of departments and groups: The Web team separate from the InfoSec team, the patching team separate from the Service Desk. Using separate tools and platforms and also at times silo'd from the business, IT has grown over many years to what is arguably far from unified.

The EU GDPR is trying to help organizations realize the importance of data protection come May 2018, and while there are many technologies which can help solve tactical points across the many articles contained in the GDPR, the real message here is around changing both technology, people and processes to create a more unified approach.


About Simon Townsend

Simon Townsend is Chief Technologist, EMEA for Ivanti, specialising in Workspace management and security. Prior to his current role, Townsend served as Vice President of Product Management and Enterprise Technology of AppSense.

More About Simon


Want More GDPR Goodness?