SOAR Breach Response add-on updates V1.10.24
The SOAR Breach Response add-on includes updated regulators and a new regulator in this release.
We always appreciate feedback on current legislation and guidance whether it appears in our product or not. Contact your Customer Relationship Manager if you have any questions about these updates or suggestions for future updates. You can also use the IBM Community to see how your peers are using the Privacy solution to simplify the complex world of information security.
The following regulators were updated in this release.
| Regulator | Description |
|---|---|
| US | |
| Texas | Updated this regulator pursuant to the Texas Data Privacy and Security Act. Specifically, updated the "Resource Library" to include the link and key provisions of the Texas Data Privacy and Security Act. Also updated the "Data Types" that trigger notification task for this regulator by including "Immigration and Citizenship Status" as new data type as provided under the Texas Data Privacy and Security Act. |
| FTC (Health) | Updated this Regulator pursuant to the amended FTC’s Health Breach Notification Rules (16 CFR Part 318) and FTC’s Guidance on Complying with the Health Breach Notification Rule. Updated the link to the primary resource and relevant provisions in the Resource Library. Updated the logic of timeframe from 10 days to 60 days for “Notify FTC (500 or more affected individuals)” task and updated the relevant language of the same task from “10 days after the discovery of a breach” to “contemporaneous with the notice to affected individual”. Updated the language of “Notify [State] Consumers Individually” task and “Notify Consumers of Unknown Residency (FTC Health)” task. Specifically, revised the required notice content and notice method, and added the notice timeframe for Third-Party Service Provider, the link to FTC’s notice template, and the permitted delay exception. Updated the language of “Notify [State] Media” task by adding the permitted delay exception. |
| Latin America | |
| Brazil | Updated the Regulator pursuant to the new Security Incident Reporting Regulations, which establishes procedures for reporting security incidents under the LGPD and the latest ANPD guidance. Updated the link to the primary resource and the relevant provisions in the Resource Library. Updated the logic of notification timeframe for both the “Notify the National Data Protection Authority (Brazil)” and "Notify Affected Individuals (Brazil)" tasks from 2 days to 3 days”. Added a new task: “Record the Incident (Brazil)”. Updated the language of “Assess the Risk (Brazil)” task by adding the criteria for an incident considered causing risks or damages to data subjects; updated the language of "Notify the National Data Protection Authority (Brazil)” task by changing the notification timeframe, updating the required notice content, and replacing the outdated ANPD notification form with the link to the ANPD online portal; updated the language of "Notify Affected Individuals (Brazil)” task by changing the notification timeframe, updating the required notice content, and adding substitute notification methods. |