Step 9 of the Belgian Privacy Commission’s guide to getting started with GDPR compliance concerns detecting, analyzing, and dealing with the fall-out of a data breach. The recent recall and re-issue of Estonia’s smartcard IDs brought home to me that public relations (PR) planning is an essential part of breach preparation, not to protect the public’s privacy (PR can’t do anything to remedy a breach), but to mitigate the reputational damage to the firm. Continue reading “Data-breach preparation: don’t forget the PR”
One of the largest credit-rating bureaus in the United States suffered a data breach in May 2017 (link). This breach, not discovered until the following July, was made public only in September. According to Equifax, the exposed data includes names, birth dates, credit-card numbers, and Social-Security numbers (an important ID number for U.S. citizens and residents), among other things (link).
About half of the adults in the U.S. were exposed (link), along with some 44 million UK consumers (link). Although most of the victims are U.S. residents who will not be protected by the GDPR, there is probably a large number of affected persons across the EU who are U.S. or U.K. citizens, and for whom GDPR protections will apply as of next May. For someone trying to gauge the impact of the GDPR on data-controllers and processors (as I assume you are if you are reading this), the Equifax case poses a number of questions. Continue reading “U.S. credit-rating agency suffers mega-breach”