A data breach is not an "if" scenario. It's a "when."
The question is whether your organization has a playbook before it happens, or is making decisions under pressure, in public, with regulators watching.
GDPR mandates notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. That's three days. In most organizations, just figuring out what happened takes longer than that.
Phase 1: Detect
The average time to detect a data breach is 204 days (IBM Cost of a Data Breach Report 2023). That's 204 days during which data may be exfiltrated, sold, or published before you know about it.
Detection sources: your SIEM (Security Information and Event Management) system, endpoint detection tools, threat intelligence feeds, external researchers (bug bounty programs), or, worst case, a journalist or regulator telling you first.
The CDO's role in detection: ensure that data access logs are maintained and monitored. Abnormal access patterns (a user downloading 100,000 records they've never accessed before) should trigger alerts. Many breaches are insider threats or compromised credentials that look like normal access without behavioral analytics.
Phase 2: Contain
Stop the bleeding. Immediately upon detecting a breach:
Who is in the room: CDO, CISO, CTO, Legal, and a retained external incident response firm (you should have one on retainer before any breach, not trying to find one during it).
Phase 3: Assess
What data was accessed? What is the nature of the data (is it personal data under GDPR? Special category data? Financial data subject to other regulations?). How many individuals are affected? Is the data likely to result in harm to those individuals?
GDPR notification is required when the breach is "likely to result in a risk to the rights and freedoms of natural persons." Not every breach triggers notification, but assessing this accurately under time pressure requires pre-established criteria.
Vérification des acquis
1. Under GDPR, within what timeframe must an organization notify the supervisory authority of a personal data breach?
2. According to the IBM Cost of a Data Breach Report 2023 cited in the lesson, what is the average time to detect a data breach?
3. Why does the lesson advise isolating affected systems rather than taking them fully offline during containment?
4. Select ALL the actions the lesson recommends taking immediately during the Containment phase:
Sélectionnez toutes les réponses correctes.
5. Select ALL the parties the lesson identifies as belonging 'in the room' during breach containment:
Sélectionnez toutes les réponses correctes.
Phase 4: Notify
If the breach triggers notification obligations:
Regulator notification (GDPR: 72 hours from awareness): Submit to the relevant supervisory authority. The notification must include: nature of the breach, categories and approximate number of data subjects affected, contact details for the DPO, likely consequences of the breach, measures taken or proposed.
Individual notification (where required): If the breach is "likely to result in a high risk to the rights and freedoms of natural persons," individuals must also be notified, without undue delay. The communication must be in clear, plain language.
Other regulatory notifications: Financial services firms face additional notification requirements (PRA/FCA in the UK, SEC in the US). Healthcare organizations face HIPAAHIPAAHealth Insurance Portability and Accountability Act, loi américaine imposant la protection des données de santé (PHI). Violations : amendes jusqu'à 1,9M$ par catégorie de violation. notification requirements (60 days from discovery). Know your sector-specific obligations before you need them.
Phase 5: Remediate and Learn
After containment: fix the vulnerability, implement additional controls, review the incident response process. The post-incident review (within 2 weeks of resolution) should answer: What happened? How was it detected? How could detection have been faster? What controls failed? What would we do differently?
The organizations that respond well to breaches have practiced. A tabletop exercise is a simulated breach scenario played out in a conference room with all key stakeholders: security team, legal, CDO, CEO, communications. You walk through: "It's Tuesday morning. A security researcher emails us saying they have 500,000 customer records. What do we do in the next hour? The next six hours? By end of day?"
These exercises reveal gaps in your process before a real breach does. Run one annually at minimum, more frequently if you operate in a high-threat sector.
In September 2018, British Airways disclosed a data breach affecting 500,000 customers. Attackers had modified BA's website to skim payment card details, a sophisticated "Magecart" attack that went undetected for two months.
The ICO fined BA £20 million (reduced from a proposed £183 million due to COVID-19). The breach was directly attributable to inadequate security measures, specifically, failure to detect anomalous outboundoutboundProactive outreach that pushes your message to targeted audiences through advertising, email, or direct prospecting, initiated by the seller rather than the buyer.Voir la définition complète → connections from their website.
The lesson: the breach wasn't the fine. The breach plus the two-month detection gap plus the inadequate security controls was the fine. The CDO and CISO who had implemented behavioral monitoring and data access anomaly detection would have caught this in days, not months.