Last updated at Mon, 17 Apr 2023 22:43:29 GMT

Sorry Nena, it was going to be you or Prince that was going to get the headline, and whilst 99 Red Balloons is a catchy 80’s classic, I had to give credit to His Royal Purpleness. It was that or pay tribute to a childhood favourite vanilla ‘whippy’ ice cream, adorned with a Cadbury’s Flake, but I’m not so sure that would resonate so well with a global audience.

“Why 99?”, you may ask. Why not a nice round hundred? Well, 99 is relevant for two very important reasons: Firstly, per the title, today marks 99 days until the General Data Protection Regulation (GDPR) comes into force. Secondly, the average time to detect that a breach has occurred is 99 days. So we’re now within the Averages Window, and this is a pretty key milestone.

The GDPR covers many different topics (our GDPR blog posts are a good read if you’re looking for more general preparation ideas) and one of those topics is breach notification. Articles 33 and 34 of the GDPR cover this requirement; essentially organisations have 72 hours to report a personal data breach if there is a significant risk to the impacted data subjects (aka “living people”). The 72 hour clock starts ticking at the point of breach discovery, not at the time the breach actually occurred, so if we go with the aforementioned average, that’s 102 days from when an attacker bust through the defences and did something untoward with the data. (For the record, there are no good songs with 102 in the title—I checked, and with an IMDB score of 4.9 I’m not going to give 102 Dalmatians blog title airtime. Sorry, Walt. Those EDMs fans amongst our readership will be overjoyed to know that there is a track called 72 hours...)

The next question you may ask is “what counts as discovery?”, and that is indeed a great question. Working Party 29, the group responsible for helping untangle the legalese vagueness of the GDPR, are on hand to help. They have issued draft guidelines to help organisations better prepare, including giving clarification on what counts as a personal data breach. The guidelines are accessible here (which downloads a pdf file), and you can read a helpful article here, from legal firm Bird & Bird (other legal counsel options are available; always read the label.).

Let’s get back to 99 for a moment. 99 days is an age in breach terms. Yes, it’s dropped from 146, or 201, or 205, or 320, depending on the piece of past research you wish to read, but it’s still a bloody long time whichever way you look at it. At the point of discovery, it’s highly likely the attackers are long gone, but trying to unpick exactly what went on over 14 weeks ago is not the easiest of tasks. In addition, you only have 3 days to work out the fundamentals, assuming you have round the clock incident response folks at your disposal.

In the next 99 days, breaches will continue to occur and unfortunately go unnoticed, but there’s one fundamental difference coming down the pipe, which is the upcoming regulatory change around notification. Now, I am in no way suggesting that it’s better to find out before GDPR comes in to effect so that you don’t necessarily need to notify (many other regulations already include this requirement today). As a human who shares data with a multitude of organisations, I am a big fan of breach notification, and the related requirements to keep my personal data as safe as possible. But, I would like you to take some time to think about how prepared your organisation is to both detect and respond to breach. Do you have the right people, process, and technology in place? When did you last update your incident response plan? When did your incident response program last get put through its paces, via a penetration test or firedrill exercise such as a threat simulation (aka a tabletop exercise)? Do you have the ability to spot the usage of compromised credentials within your environment? Now is the time to look hard at the overall breach readiness of your organisation. Making changes now could make the difference between needing to send notifications to a Supervisory Authority, and indeed your customers. Ideally, you want to be able to spot attackers earlier in the attack chain, investigate quickly, and respond with confidence.