Recovering from a Data Security Breach
It’s every business’s worst nightmare – losing control of your customer’s sensitive data. Data breaches are more common than ever before, with some of the biggest names in business being hit from Equifax to T Mobile.
A recent government survey found that over four in ten businesses (43%) and two in ten charities (19%) were at the receiving end of a cyber-security breach or attack in the last 12 months.
Reference: Cyber Security Breaches Survey 2018
Whether it’s just losing data through negligence or being a victim of a targeted attack, a data breach is a massive threat to any business.
And now it’s happened to you.
It’s time to find the right response and mitigation strategies to avoid heavy penalties, possible legal fees – should affected customers go down the litigation route — and even damaging ‘stop now’ orders that can end your operations until the breach is addressed.
The financial cost itself is a key concern for many businesses with the European data regulation GDPR coming into effect from May 25, 2018, organisations now stand to face a data protection breach fine of up to 2% of global turnover or €10 million, whichever is greater. The stakes have never been higher – debilitating fines combined with being forced to stop your operation.
Under the new GDPR, all organisations have to report certain types of personal data breach to the relevant supervisory authority – this could include specific industry bodies as well as the ICO. You will need to do this within 72 hours of finding out about the breach, where feasible.
How your organisation recovers from a data breach will depend largely on its response. Clear communication to the authorities and affected parties, a thorough investigation into the causes and clear procedures to prevent such incidents from happening again can all help speed up your business’ recovery.
Here’s what you need to do to minimise the damage:
Follow a Robust Data Breach Policy Response Plan
A typical one will include:
- Finding out what type of data breach it is.
- Is it a personal data breach under the Data Protection Act? Examples include the theft of a laptop, losing a USB stick, data being destroyed or sent to the wrong address etc. If this has happened to you, you will need to establish the likelihood and severity of the risk to individual’s rights and freedoms. You may also need to further establish if it’s an Unlawful use of Personal Data Breach. This is also known as a section 55 breach (a breach of section 55 of the Data Protection Act) where data has been unlawfully obtained or accessed. This guidance from the ICO should help you decide if the breach needs to be reported or not. Even if you decide you don’t need to report a breach, it’s vital to make sure you document it in detail so that you can justify your decision should it be questioned. If you do decide to report it, you will need to call the ICO helpline on 0303 123 1113 (open Monday to Friday between 9 am and 4:30 pm).
- Is it a Privacy and Electronic Communications Regulations (PECR) security breach? If you’re a telecoms or internet service provider, and your customer’s personal data has been breached, you will need to report this as a PECR security breach to the ICO. You will also need to inform customers if the breach is likely to impact on their privacy. The final step is to keep a breach log detailing the main facts about the breach, what its impact was and what steps were taken to address it.
- Plans for containing the breach and recovering data if possible. This includes but is not restricted to understanding what was compromised, securing all data and systems, attempting to retrieve or neutralise compromised data and notifying law enforcement if needed.
- Assessing the nature of the risk. Is it just a business disruption risk or could it possibly lead to a crime such as identity theft? Find out the type of data involved, how sensitive it is and whether it has been lost or stolen to understand the real risk involved.
- Notifying the concerned individuals or authorities without delay. It’s vital to inform individuals whose data may have been compromised and if possible provide guidance on how they can protect themselves as well as inform regulatory bodies so they can respond appropriately. You will need to notify sector specific regulatory bodies and the ICO if personal data has been compromised.
- Investigating the causes of the breach and asses the effectiveness of your organisation’s response to it. You will need to have a thorough review to see if there are systemic failures in your data management systems that could possibly cause a problem like this again.
Once a breach has occurred, it’s important to set up systems that will help protect your business in the future. Here are some ways to protect your business from future data breach threats.
Invest in Sound Digital Forensic Readiness Planning
The evolving field of digital forensics can help gather and streamline digital evidence for use in legal or law enforcement issues that could result in court action.
A forensic readiness plan involves setting up a proactive framework to ensure that an organisation collects and retains sufficient information, in a legally admissible manner, to help secure convictions should a data breach occur. It’s also useful in understanding precisely what was breached and to help mitigate the damage.
Robust and comprehensive security logging and data collection procedures, will help you understand what data has been seen, or harvested should a similar event happen in the future.
Plan for the Worst – and Test
It’s one thing to understand that you may have a vulnerability, but another thing to fully understand how many doors are open, and how wide – and then to slam them shut. A big part of our job is to help organisations plug their dam of commercially sensitive data leaks. Often only after engaging us for an information security exercise do they discover just how much they were being compromised.
Be Clear about Special Category Data
As well as commercially sensitive information (IP, trade secrets, pricing information), new Data Protection laws are very clear on Special Categories of Personally Identifiable Information (a class of PII described in GDPR’s Article 9) which include details about a person’s race, politics, religion and genetics to name a few.
Plan for the Future
The statutory authorities (e.g. the ICO in the UK) now have the power not only to impose fines, but to prevent an organisation processing data – which, in some industries, will entirely stop many companies operating whilst the breach is addressed.
As well as addressing specific GDPR / Data Protection concerns, many organisations may wish to include mitigation strategies for such events within their BCP (Business Continuity Planning) functions.
If you think you are at risk of a data breach, contact us today for advice and information.