Planning for a Data Breach – are businesses ready to meet their legal obligations?


By Natasja Bolton, Senior Acquirer Support QSA


In order to help your merchant businesses with the definition and documentation of their Incident Response Plan, Sysnet has created a template document – Download the Security Incident Response Plan Template.


All merchants self-assessing their Payment Card Industry Data Security Standard (PCI DSS) compliance now need to have an incident response plan – a plan to be implemented in the event of a security incident or data breach.


For the majority of these merchants, the PCI DSS incident response plan requirement is to simply ‘create one’ (PCI DSS Requirement 12.10.1.a).  In working to meet this requirement however, many merchants may not fully think through what creating an incident response plan really means for their business.


They may therefore, not be fully prepared for the incidents and events that could occur and which could have a detrimental impact on their business.


Having an incident response plan means that the business has thought about and planned ahead for all types of incidents and security events. This could include things that could have an impact on their ability to operate, serve their customers and deliver services.


An incident response plan helps businesses to respond to incidents in a timely and effective manner, to maintain business continuity and thereby minimise the impact on their customers and their business.


Sysnet believe that merchants should use the PCI DSS obligation to have an incident response plan in place as their starting point to properly consider their business preparedness and resilience in the face of data breach or disaster. All merchants, regardless of the SAQ they are required to complete, should be refering to all of the PCI DSS controls in Requirement 12.10. 


Following this guidance will help them develop a comprehensive plan for incident response and business continuity. The PCI DSS requirements ask businesses to define roles, responsibilities and contacts, to plan for all potential incident types that could affect their business critical systems, and to consider legal requirements for reporting compromises.


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below


International legislation

Indeed, recent EU legislation makes consideration of legal requirements for breach notification more than just a North American or South African concern. The EU’s General Data Protection Regulation (GDPR) was adopted in May this year and requires organisations handling the personal data of EU citizens to meet tougher data security rules and to comply with new data breach notification requirements.


While the GDPR is not yet effective (coming into force in May 2018) it will apply equally across all EU member countries and will require compliance from any organisation worldwide that handles Europeans’ personal data (including records of customer details and payment details).


Laws requiring notification of data breaches to the affected individuals aren’t new. They began in California in 2003 but since then the majority of US states have adopted notification laws of varying strengths and a Federal law is under consideration. 


South Africa’s 2013 ‘Protection of Personal Information Act’ includes a requirement for notification of the affected data subject in the event of a breach. In Canada, the recent ‘Digital Privacy Act’ adopted a number of privacy law changes including breach reporting and notification, although feasibility studies are still underway to determine how data breach notification should work.


Many other countries are considering mandatory data breach notification as part of their reviews of data privacy laws. For the latest information, Sysnet recommends reviewing the country-by-country guidance on global law firm DLA Piper’s Data Protection Laws of the World or ICLG’s Data Protection Comparison site.


What this goes to show is that legal requirements are continually evolving and therefore; not only do businesses need to create an incident response plan, they also need to regularly review that plan (per PCI DSS Requirement 12.10.2) in order to make sure it is up to date.


In order to help your merchant businesses with the definition and documentation of their Incident Response Plan, Sysnet has created a template document – Download the Security Incident Response Plan Template. Businesses can walk-though and update this template to suit their organisation.


In going through each section the business needs to consider who in their business fulfils incident response roles and responsibilities, who their key contacts are for reporting and responding to incidents, and the steps they will need to take in response to an incident. All critical factors in making sure that the business is prepared for incidents that could impact their business activities and expose the personal data they hold.


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms