SOAR Breach Response add-on updates V1.10.21

The SOAR Breach Response add-on includes updated regulators and a new regulator in this release.

We always appreciate feedback on current legislation and guidance whether it appears in our product or not. Contact your Customer Relationship Manager if you have any questions about these updates or suggestions for future updates. You can also use the IBM Community to see how your peers are using the Privacy solution to simplify the complex world of information security.

The following regulators were added in this release.

Regulator	Description
Africa
Somalia	Data Protection Act 2023 Requirements and Timing: The Data Protection Act of Somalia established rules relating to the protection of natural persons from risk arising from the processing of personal data. In the case of a personal data breach, the data controller must notify the Data Protection Authority in 72 hours after the discovery of the breach. The new regulator includes the following tasks: “Notify the Data Protection Authority (Somalia)”

Regulator

Description

Africa

Somalia

Data Protection Act 2023

Requirements and Timing: The Data Protection Act of Somalia established rules relating to the protection of natural persons from risk arising from the processing of personal data. In the case of a personal data breach, the data controller must notify the Data Protection Authority in 72 hours after the discovery of the breach.

The new regulator includes the following tasks:

“Notify the Data Protection Authority (Somalia)”

The following regulators were updated in this release.

Regulator	Description
US
Utah	Updated the Resource Library to reflect the amendments on 13-44-202. Personal information – Disclosure of system security breach. Updated the language of ”Notify UT State AG and Utah Cyber Center ” task by adding required notification contents in line with the amendments.
FCC	Updated the Resource Library to reflect the amendments on 47 CFR Part 64, Subparts U and EE. Updated the tooltip language. Changed the personal data type trigger from “CNPI” only to cover any “personal identifiable information”. Changed the timeframe of “Notify Customers” task from to "24 hours" to "30 days" and added required notice content in the task language. Added a new task: “Submit An Annual Report of Small Breaches”. Updated the URL of FCC central reporting facility in the language of the two aforementioned tasks. Updated the language of “Notify the FCC, US Secret Services and FBI” task by adding required notice content and notification exemption.
CMS	Updated the Resource Library to reflect the FISMA 2014, the Federal Incident Notification Guidelines, the CMS Risk Management Handbook Chapter8 (IR), and the CMS Breach response Handbook. Changed the name of “Notify US-CERT” task to “Notify CISA”, updated the task language by narrowing down notifiable breaches to “Major Incident” and adding the online reporting link and the CISA contact information. Updated the language of “Report to Congress” task by adding notification considerations. Updated the language of “Notify Affected Individuals” task by adding the notification method. Updated the language of “Notify CMS IT Service Desk” task by replacing the link to the Incident Response Risk Management Handbook with that to the Breach Response Handbook.
DARS/DoD	Updated the Resource Library to reflect the FISMA 2014 and the Federal Incident Notification. Changed the name of “Notify US-CERT” task to “Notify CISA”, updated the task language by narrowing down notifiable breaches to “Major Incident” and adding the online reporting link and the CISA contact information. Updated the language of “Report to Congress” task by adding notification considerations. Updated the language of “Notify Affected Individuals” task by adding the notification method.
OMB	Updated the Resource Library to reflect the FISMA 2014 and the Federal Incident Notification. Changed the name of “Notify US-CERT” task to “Notify CISA”, updated the task language by narrowing down notifiable breaches to “Major Incident” and adding the online reporting link and the CISA contact information. Updated the language of “Report to Congress” task by adding notification considerations. Updated the language of “Notify Affected Individuals” task by adding the notification method.
FISMA	Updated the Resource Library to reflect the FISMA 2014 and the Federal Incident Notification. Changed the name of “Notify US-CERT” task to “Notify CISA”, updated the task language by narrowing down notifiable breaches to “Major Incident” and adding the online reporting link and the CISA contact information. Updated the language of “Report to Congress” task by adding notification considerations. Updated the language of “Notify Affected Individuals” task by adding the notification method.
Europe
Georgia (Country)	Updated the Resource Library to reflect The Criteria for Determining an Incident that Poses a Significant Threat to Basic Human Rights and Freedoms and the Procedures for Reporting an Incident to the Personal Data Protection Services. Added a new task “Assess the Risk” with criteria of risk assessment; Updated the language of “Notify the Supervisory Authority” task by adding the required notice content and a link to online reporting.
EU Telecoms & ISPs	Updated the links to breach reporting or DPA contact information for various EU nations in the Resource Library. Changed the timeframe of “Notify Affected Individuals” task from “without unreasonable delay (45 days)” to “without undue delay (15 days)” and updated the task language by adding required notice content and permitted delay.