This information is exclusively for the relevant Data Protection ... · PDF fileTemplate for...
7
I. Identification of the data controller This information is exclusively for the relevant Data Protection Authority, not to be shared with third-parties. Template for data breach notifications I Company name Address Postal code Country City 1. Details of the company Name Address Postal code Country City 2. Contact person (to obtain complementary information) Position E-mail address Telephone no. 3. Type of notification Complete notification (fields included in section II and III shall be completed within 72-h after having been aware of the data breach) Notification in two steps (fields included in section II shall be completed within the 72-h notification period and fields included in section III shall be completed within four weeks after having been aware of the data breach)
Transcript of This information is exclusively for the relevant Data Protection ... · PDF fileTemplate for...
I. Identification of the data controller
This information is exclusively for the relevant Data Protection Authority, not to be shared with third-parties.
Template for data breach notifications I
Company name
Address
Postal code
Country
City
1. Details of the company
Name
Address
Postal code
Country
City
2. Contact person (to obtain complementary information)
Position
E-mail address
Telephone no.
3. Type of notification
Complete notification (fields included in section II and III shall be completed within 72-h after having been aware of
the data breach)
Notification in two steps (fields included in section II shall be completed within the 72-h notification period and fields
included in section III shall be completed within four weeks after having been aware of the data breach)
II. Principal information on data breach
To be completed and shared with the Data Protection Authority within the first 72 hours after having become
aware of it.
Template for data breach notifications II
1. Sector of affected party
Agriculture, forestry and fishing
Mining and quarrying
Manufacturing
Manufacture of food products, beverages and tobacco products
Manufacture of textiles, wearing apparel, leather and related products
Manufacture of wood and paper products; printing and reproduction of recorded media
Manufacture of coke and refined petroleum products
Manufacture of chemicals and chemical products
Manufacture of basic pharmaceutical products and pharmaceutical preparations
Manufacture of rubber and plastics products, and other non-metallic mineral products
Manufacture of basic metals and fabricated metal products, except machinery and equipment
Manufacture of computer, electronic and optical products
Manufacture of electrical equipment
Manufacture of machinery and equipment n.e.c.
Manufacture of transport equipment
Other manufacturing; repair and installation of machinery and equipment
Electricity, gas, steam and air conditioning supply
Water supply; sewerage, waste management and remediation
Construction
Wholesale and retail trade; repair of motor vehicles and motorcycles
Transportation and storage
Accommodation activities
Food service activities
Publishing, audio-visual and broadcasting activities
Telecommunications
IT and other information services
Financial and insurance activities
Real estate activities
Legal, accounting, management, architecture, engineering, technical testing and analysis activities
Template for data breach notifications II
Scientific research and development
Other professional, scientific and technical activities
Administrative and support service activities
Public administration and defence; compulsory social security
Education
Human health activities
Residential care and social work activities
Arts, entertainment and recreation
Other service activities
Activities of households as employers; undifferentiated goods- and services - producing activities of households for
own use
Activities of extraterritorial organizations and bodies
2. Size — number of employees
1-9
10-49
50-249
250-749
750-1000
> 1000
3. Size — turnover
≤ € 2 m
≤ € 10 m
≤ € 50 m
> € 50 m
4. Member state where business has its main establishment
Please select...
5. Member state where the breach took place
Please select...
Template for data breach notifications II
6. Date/time of the breach
Hour Minute Day Month Year
7. Date/time of detection
Hour Minute Day Month Year
Malicious attack
Internal
Accident (system failure)
Negligence (human error)
Other
8. Are you aware of the cause of the breach? (please refer to Q8 in Section III if not)
External
Please specify...
Trojans
9. If a result of a malicious attack, what caused the breach?
Encryption
Cryptolockers
Distributed denial of service
Malware
CEO-fraud
Blackmailing
Other
Please specify...
Data publication
10. Which is the likely impact of the breach?
Data theft
Identity theft or fraud
Loss of data
Loss of confidentiality of personal data
Property damage
Direct financial loss
Business interruption
Liability issues
Damage to the reputation
Other
Template for data breach notifications II
Please specify...
11. Type of data exploited/affected/stolen?
Personal
Sensitive (eg health/genetic data, etc.)
Non-personal
Non-sensitive
12. If personal, what is the encryption status of personal data?
Full
Partial
None
13. Has the data breached been subject to a Data Protection Impact Assessment (DPIA)?
Yes
No
14. What type of IT support does the company have?
Internal
External
Data recovery
15. What measures have been taken to mitigate the adverse effects of the breach?
Deletion of negative software
Replacement of destroyed property
External testing (ie ethical hackers, pen tests, etc)
Enhancement of data security measures
Other
Please specify...
16. Does the company have insurance for the type of incident incurred?
Yes
No
III. Complementary information
To be completed and shared with the Data Protection Authority within maximum four weeks after having been
made aware of the data breach.
Template for data breach notifications III
1. Date/time effects of attack ended
Hour Minute Day Month Year
2. Estimated financial damage
3. How many personal datasets were exploited/affected/stolen?
4. Have data subjects been notified of the data breach?
Yes
No
5. How many data subjects have been notified?
6. Estimated financial losses
Cost of notification
Financial damage
Enhancement of data security measures and in particular:
7. What has been done or planned to mitigate this exploit being done again?
Audit and redesign of data collection procedure
Audit and redesign of data processing procedure
Audit and re-evaluate the “Data processor” (if applicable)
Encryption of data at rest
Other
Please specify...
No data security measures were taken
Template for data breach notifications III
8. What was the cause of the breach?
Malicious attack
Internal
Accident (system failure)
External
Negligence (human error)
Other
Please specify...
9. If known, what was the motivation behind the breach, in case of a malicious attack?
Ransomware
10. If known, what exploit software was used, in case of a malicious attack?
Phishing
SQL Injection Attack
Cross-site scripting (XSS)
Denial of Service (DoS)
Session hijacking
Credential reuse
Other
Please specify...
Malware
© Insurance Europe aisbl, September 2017
