Emma Burnett (CMS): "CMS Breach Assistant is practical tool for navigating a data breach"
1. What is the purpose of CMS Breach Assistant?
For most businesses, the question is not if they will experience a data breach, but when it will happen. When businesses face a data breach or a suspected data breach involving personal data, they need clear guidance on what to do and they need it quickly. Data breaches may trigger notification obligations to authorities in more than one jurisdiction, but the relevant authorities that must be notified, and the process for notifying them, may not always be obvious.
Finding this information in tight timeframes is challenging. These conditions are made more complex by the patchwork of maturity of data protection legislation and regulation across jurisdictions. For certain businesses in regulated sectors, data breaches may trigger notification obligations to other sector regulatory bodies in addition to or instead of data protection authorities under the GDPR and local data protection laws (and/or affected individuals).
The CMS Breach Assistant is an innovative mobile platform developed with the deep expertise of global law firm CMS, arming businesses with information and guidance to more quickly assemble and act once a data breach has been identified. Its purpose is to give any affected business a head start during the first critical hours of a data breach by helping key executives responsible for compliance with GDPR and sector regulations applicable to their businesses to quickly understand and deal with the situation. Easily accessible from a smartphone while on the move, the CMS Breach Assistant offers advice relevant to a wide range of sectors and jurisdictions.
2. Is this platform exclusively for CMS clients or also for other users?
The CMS Breach Assistant is available for anyone to download for iPhone and Android in the app store – search “CMS Breach Assistant”. We have a CMS Breach Assistant basic version which is free for anyone to download and also a paid-for “CMS Breach Assistant PLUS” version sold on a subscription basis for a set number of user licences. Organisations do not have to be existing clients of CMS to download the free version of the CMS Breach Assistant nor to purchase a subscription.
Both the free and the paid-for versions provide valuable content but the CMS Breach Assistant PLUS version has enhanced sector-specific content and features, particularly geared towards global organisations that may face the complex situation of dealing with a cross-border data breach.
3. Will the user be able to maintain direct contact with a CMS lawyer?
CMS has over 200 data protection lawyers (including the former head of the Spanish data protection regulator). The CMS Breach Assistant provides contact details for key CMS data protection lawyers for the jurisdictions covered in the app, which includes the UK and 28 EEA jurisdictions (for free) and nearly 100 non-EEA jurisdictions worldwide (by subscription). Europe, Latin America, Africa, Asia and the Middle East are all covered. For the UK and 18 key EEA jurisdictions, an emergency button on the free version of the CMS Breach Assistant allows users to send a direct emergency email to the team of CMS data breach response lawyers in their jurisdiction for further support.
Not only does CMS Breach Assistant enable users to contact CMS data protection lawyers quickly, but the CMS Breach Assistant PLUS has an in-platform email feature which enables users to notify and mobilise their internal data breach response teams.
4. In addition to legal information, does this Platform provide practical documents?
The CMS Breach Assistant focuses on the legal and regulatory aspects of data breach response, such as reporting to regulators, informing affected data subjects and dealing with enforcement action. It also provides useful information that can be used by organisations in their data breach response planning. Beyond guidance, the platform offers various practical tools and useful functionalities.
The free version contains the following information and practical tools:
• Data breach guidance: guidance (including practical questionnaires) on what you need to do and who you need to notify in the event of a data breach (or suspected data breach) involving personal data under the GDPR and local laws in over 19 European jurisdictions (including UK), as well as local regulator details, guidance on notifying regulators and/or individuals and answers to common data breach notification queries.
• Time limits: detailed guidance on GDPR notification time limits.
• Notification forms: links to data breach notification forms of local data protection regulators in over 19 European jurisdictions (including UK).
By subscription, users can access the following information and practical tools:
• Data breach guidance in nearly 100 additional jurisdictions: guidance on what you need to do and who you need to notify in the event of a data breach (or suspected data breach) involving personal data in nearly 100 jurisdictions (Europe, Latin America, Africa, Asia and the Middle East are all covered), including (where applicable and available):
o Supervisory / data protection authority name and website;
o Relevant local data protection statutes and regulations (and links to English language versions where available), key definitions and jurisdiction of such statutes and regulations;
o Local law requirements (including when breach notification is triggered in a jurisdiction and different time limits for notification); and
o How to notify supervisory / data protection authority and what information must be provided, including links to data protection authority websites / data breach notification forms of local data protection authorities in the jurisdiction.
• Sector-specific data breach notification information in certain key jurisdictions, including information on the energy, financial services, telecoms, healthcare and life sciences, marketing and advertising, pensions and e-ID and trust services sectors.
• An interactive data breach response checklist providing practical advice for dealing with a personal data breach in an interactive format.
• Detailed guidance on GDPR enforcement action and remedies.
• Detailed guidance on key legal and technical definitions under data protection legislation and other relevant laws in your selected country (currently EU-wide and UK only).
5. This platform is about providing information on data protection, are there plans to provide information on other legal matters?
The CMS Breach Assistant is a comprehensive source of guidance and a practical tool for navigating a data breach. We will continue to build out international content, based on which jurisdictions are most in demand, especially according to client feedback. In the past four months, for example, we have added enhanced sector content on Brazil, Singapore and South Africa where the data protection regimes have seen major regulatory change. The CMS Breach Assistant does not stand alone – it sits within a broad suite of services and tools that CMS’s team of over 200 data protection lawyers provides to clients across multiple sectors.
CMS is always exploring and inventing innovative ways to support its clients and enable quick access to easy-to-understand and practical guidance. The firm has a pipeline of new products in a broad range of legal areas.