How to assess the risks of a data breach
What is it with airlines? An ever-growing list have suffered data breaches, the numbers affected are huge and class actions are underway. The risks these breaches pose for the thousands affected will clearly vary depending on the nature of the breach and the personal information involved.
This raises burning questions for others (thankful at this point it isn’t them in the spotlight), such as;
- How do you assess the actual risk to people when a data breach happens?
- When should you notify the ICO (or other relevant Data Protection Authority)?
The Information Commissioner’s Office (ICO) is not interested in hearing about every little incident, if it’s unlikely there’s any risk to people. In the early days of GDPR, the UK regulator clearly indicated there had been a degree of over-reporting. However, it’s a delicate balance, you don’t want to fail to report a data breach when you should have reported it.
How do you assess if a data breach is likely to represent a risk?
Each incident needs to be considered on a case by case basis, taking into account all relevant factors. No two incidents are likely to be the same (unless you failed to address something crucial the first time around).
Once you have established the facts (the what, when, who, how, where) and made sure the breach is still not ongoing, you then need to balance the severity of the potential impact on those affected with the likelihood of this occurring.
10 questions to ask when carrying out an assessment of risk from a data breach
- Can individuals be identified? If so, how easily?
- Does the breach involve information relating to children or vulnerable people?
- Is / was the data easily accessible or would it require a degree of specialist knowledge to access it?
- What kind of risks does the type of data involved pose? Often a combination of data such as an email address and password will pose more risk.
- Even if the data appears to be fairly innocuous, could it be used maliciously to cause harm?
- Is some or all the data already publicly accessible? Would people have wished their details like name and address to be kept private? (For example, the New Years honours list breach in which private home addresses were made public).
- Are you aware the data is in the hands of someone or an organisation who could or intends to use it maliciously?
- Is a high volume of records affected, meaning a high number of people could be impacted?
- Does the breach reveal highly sensitive information (even for a low number of people) which could cause harm?
- What is the nature of your business and does this impact on the severity and likelihood of damage being caused?
This is by no means an extensive list of questions, and the importance of certain questions will vary depending on the nature of your business and the nature of the incident you are assessing.
It is good practice to use a risk matrix, with a scoring system of likelihood against severity, so you can evaluate the level of risks identified. This provides evidence of how you went about your assessment. You will be looking for risks which could adversely affect individual, such as causing:
- Physical harm
- Financial loss
- Identity theft/fraud
- Psychological distress
- Humiliation or reputational damage
It is useful to reference the European level Guidelines on Notification of a Personal Data Breach. In particular, Section IV provides helpful pointers on how to assess ‘risk’ and ‘high risk’.
If your breach involves special category data or financial details of individuals, the risks may be more obvious and the decision to notify or not will be more-clear cut.
The key to any assessment is that it needs to be fluid, including regular ‘check-ins’ with colleagues as your understanding of the situation evolves and answers to your questions are provided.
This has to be done super fast. If you judge that it is a breach that is notifiable to the ICO – it is likely to represent a risk to individuals – you need to report it within 72 hours of becoming aware. And you need to consider whether the risk is serious enough for you to also tell the individuals affected.
Because you have to act so quickly, the benefit of having a robust plan and assessment process in place can’t be underestimated.
Your people can be your biggest asset or risk with data, so it also pays to make sure your staff understand the risks which can arise when handling data, the role they play in protecting data from a breach and what they must do if they suspect one may have occurred.
Philippa Donn, June 2020
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.