Data Breach Reporting: Speedy 8-point checklist What are the key questions the ICO will want answers to? Data breaches can be a pain. They’ll usually arrive when you least expect, and your organisation will want it dealt with pronto. With that in mind, preparation is everything: knowing in advance what questions need answering saves precious time while investigations take place, facts are gleaned and mitigating measures are considered. All as the clock continues to tick. Remember – NOT ALL breaches need to be reported As a quick recap, we aren’t obliged to report every breach. There’s a clear proportionality test around the potential impact of the breach on an individual. The ICO tells us: If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. Our Data Breach Guide takes you through the key steps of establishing the facts and assessing whether a breach needs to be reported or not. You can download a copy here. You’ve judged the breach reportable Once you’ve assessed there’s likely to be a risk to affected individuals, you need submit a report to the ICO. This must be done within 72-hours of becoming ‘aware’ of the breach. (You’re considered to be ‘aware’ at the point there’s a reasonable degree of certainty a security incident has occurred which might have led to personal data being compromised). The ICO has a helpful online data breach reporting form, which many organisations might choose to use. And remember, you don’t have to have all the facts to submit an initial report, you can provide updates. The online form gives options on this. (Please note this is sector dependent: telecoms and internet providers, as well as organisations in the health and communications sectors have distinct reporting requirements). 8-point checklist – the answers you’ll need 1. What went wrong? Can you describe what happened, how it happened and how it was discovered? When did it happen and when did you discover it? 2. What type of data is affected? Are basic identifiers, contact details, user passwords, bank account numbers, passport details or other personal data affected? Does the incident involve any special category data such as health data, biometrics, political opinions or sexual orientation? 3. Who is affected? Whose data is it? Employees, students, subscribers, clients or patients? 4. What’s the volume? Do you have an exact figure, or an estimate, for how many records are involved and how many people could be affected? 5. What’s the risk? What damage or harm has already happened? What further impact is anticipated? Is there a ‘high’ risk to those affected? (If so, you’ll also need to notify individuals as well) 6. What training have staff had? Can you confirm the staff member(s) involved in the breach have received data protection training in the past two years? What’s the nature and frequency of the training? (Be sure to also have a brief description of the training content at hand) 7. What actions have you taken? What have you done to limit the impact? What’s been done to prevent a reoccurrence? When do you expect mitigating measures to be in place (if they aren’t already)? What further actions will you be taking? 8. Who else have you told? Have you told affected individuals, or are you planning to? Have you told any other organisations about the breach? Crucial to easing the potential fallout of a breach is being ready for one. A pre-prepared and robust data breach plan or playbook will alleviate stress levels in the heat of the moment. It also shows, as an organisation, you are on-point with your response to a breach.

Privacy enhancing technologies and how they can help Driving innovation without overlooking privacy controls As new technologies and ‘big data’ solutions evolve and gain traction across the globe, organisations are increasingly gathering and using people’s data in more creative and innovative ways. We often hear how the volume of data generated in the past two years alone is greater than that gathered in all previous human history. Against this backdrop, there’s a growing need to make sure we protect the privacy of individuals whose data we handle. Organisations need to use appropriate and effective technical and organisational measures to protect people’s data. This is the essence of Data Protection by Design. We need to consider both legal and ethical issues, as well as the reputation risk from a data breach. Are some organisations becoming too risk-adverse? We’ve seen it happen where an exciting new project with the potential to create huge benefits for customers (even society at large) is side-lined because the associated privacy risks are considered to significant. How do we strike the right balance? Balancing innovation and privacy Privacy enhancing technologies (PETs) are designed to minimise personal data use, maximise security and give individuals control of their data. The use of PETs can reduce or potentially eliminate privacy risks. The adoption of such technologies are often seen as a key component for successful data innovation, opening up new opportunities and benefits from personal data. The term PETs includes a wide range of existing and emerging technologies. Generally speaking, these can be categorized as ‘hard’ and ‘soft’ privacy technologies. Here’s some examples – this list is by no means exhaustive. ‘Soft’ privacy technologies These are used by organisations to keep information secure and keep full control of how data is being used. They may rely on data minimisation, anonymisation and/or pseudonymisation. Examples include: Access controls – to restrict access to personal data Encryption – both for data in transit and at rest Differential privacy – a cryptographic algorithm which adds statistical ‘noise’ to the dataset which enables patterns within the dataset whilst maintaining the privacy of individuals. Other de-identification techniques – such as redaction, tokenisation, hashing or zero-knowledge proofs (ZKP). ‘Hard’ privacy technologies These give online users control over their privacy when using digital services and applications. Examples include: Virtual Private Networks (VPNs) – which allow the user to have their own private network while browsing the internet. Onion routing – an internet-based encryption technique where messages are embedded within encryption layers. Tor (which stands for ‘The Onion Router’) is a popular free-to-use anonymous browser based on onion routing. The above examples are by no means exhaustive. Selecting the right PETs for your organisation The types of PETs your organisation uses will depend on the nature of your business, the sensitivity of the data you handle, the ways in which you use it, who you share it with, and so on. Particularly private or sensitive data will clearly need a greater level of protection. It’s all about recognising where the risks lie and taking a proportionate approach. Sharing data via secure APIs A very common way to automate safe data sharing is via secure Application Programming Interfaces (APIs). APIs are regularly used to share selected data between internal systems, as well as with third parties. This is much more efficient and secure than sharing datasets via email by attaching spreadsheets, for example. Where’s the ICO on PETs? The ICO is currently preparing updated guidance on ‘Anonymisation, Pseudonymisation and Privacy Enhancing Technologies’, following a consultation which began in 2021. Alongside this, early this year the Regulator began consulting with health organisations to shape their thinking on PETs. Healthcare sector data use Data driven technology and increased adoption of AI offer huge potential to improve service delivery in the public sector – not least in healthcare. From early diagnosis to infrastructure improvements and more personalised services. The use of data for public services has never been more vital. Yet sharing more data also poses risks and challenges. Public trust in the way data is shared and used is vital and has to be earned. In an environment like this, the adoption of effective privacy enhancing solutions is key. For example, the use of access control to give restricted access to patient data based on the user’s role (e.g. doctor, consultant). Stephen Almond, Director of Technology and Innovation at the ICO: “Privacy-enhancing technologies (PETs) help organisations build trust and unlock the potential of data by putting data protection by design into practice. “The healthcare sector handles highly sensitive data that could lead to life-changing, life-saving innovations. Yet organisations are not tapping into the benefits of PETs and we want to find out how to help them adopt these emerging technologies.” To conclude… Nobody wants to stifle innovation. We need to be able to balance great ideas and innovation with respect for people and their data. Privacy enhancing technologies can be a valuable part of your privacy and information security toolkit, giving you the confidence to develop new products and services, knowing you have tackled the privacy risks.

Ransomware attack leads to £98k ICO fine Solicitors firm failed to implement ‘adequate technical and organisational measures’ Are you using Multi-Factor Authentication? Are patch updates installed promptly? Do you encrypt sensitive data? Reports of cyber security incidents in the UK rose 20% in the last 6 months of 2021. These figures from the ICO, combined with the heightened threat in the current climate, provide a stark warning to be alert. The ICO says; “The attacks are becoming increasingly damaging and this trend is likely to continue. Malicious and criminal actors are finding new ways to pressure organisations to pay.” Against this backdrop the ICO has issued a fine to Solicitors’ firm following a ransomware attack in 2020. The organisation affected was Tuckers Solicitors LLP (“Tuckers”) which is described on its website as the UK’s leading criminal defence lawyers, specialising in criminal law, civil liberties and regulatory proceedings. While each organisation will face varying risks, this case highlights some important points for us all. Here’s a summary of what happened, the key findings and the steps we can all take. For increasing numbers of organisations this case will unfortunately sound all too familiar. What happened? On 24 August 2020 Tuckers realised parts of its IT system had become unavailable. Shortly after IT discovered a ransomware note. Within 24 hours it was established the incident was a personal data breach and it was reported to the ICO. The attacker, once inside Tuckers’ network, installed various tools which allowed for the creation of a user account. This account was used to encrypt a significant volume of data on an archive server within the network. The attack led to the encryption of more than 900,000 files of which over 24,000 related to ‘court bundles’. 60 of these bundles were exfiltrated by the attacker and released on the ‘dark web’. These compromised files included both personal data and special category data. The attacker’s actions impacted on the archive server and backups. Processing on other services and systems were not affected. By 7 September 2020, Tuckers updated the ICO to say the servers had been moved to a new environment and the business was operating as normal. The compromised data was effectively permanently lost, however material was still available in management system unaffected by the attack. Tuckers notified all but seven of the parties identifiable within the 60 court bundles which had been released, who they did not have contact details for. Neither Tuckers, nor third party investigators, were able to determine conclusively how the attacker was able to access the network in the first place. However, evidence was found of a known system vulnerability which could have been used to either access the network or further exploit areas of Tuckers once in side the network. What data was exfiltrated? The data released on the ‘dark web’ included: Basic identifiers Health data Economic and financial data Criminal convictions Data revealing racial or ethnic origin This included medical files, witness statements and alleged crimes. It also related to ongoing criminal court and civil proceedings. Tuckers explained to the Regulator, based on its understanding, the personal data breach had not had any impact on the conduct or outcome of relevant proceedings. However, the highly sensitive nature of the data involved increased the risk and potential adverse impact on those affected. Four key takeaways The ICO makes it clear in its enforcement notice that primary culpability for the incident rests with the attacker. But clear infringements by Tuckers were found. The Regulator says a lack of sufficient technical and organisation measures gave the attacker a weakness to exploit. Takeaways from this case: 1) Multi-Factor Authentication (MFA) Tuckers’ GDPR and Data Protection Policy required two-factor authentication, where available. It was found that Multi-Factor Authentication (MFA) was not used for its ‘remote access solution’. The ICO says the use of MFA is a relatively low-cost preventative measure which Tuckers should have implemented. The Regulator concluded the lack of MFA created a substantial risk of personal data on Tuckers’ systems being exposed to consequences such as this attack. Takeaway: If you currently don’t use MFA, now would be a good time to implement it. 2) Patch management The case reveals a high-risk security patch was installed in June 2020, more than FOUR months after its release. The ICO accepts the attacker could have exploited this vulnerability during the un-patched period. Considering the highly sensitive nature of the personal data Tuckers were handling, the Regulator concludes they should not have been doing so in an infrastructure containing known critical vulnerabilities. In other words the patch should have been installed much sooner. Takeaway: Make sure patches are installed promptly, especially where data is sensitive. 3) Encryption During the investigation Tuckers informed the ICO the firm had not used encryption to protect data on the affected archived server. While the Regulator accepts this may not have prevented the ransomware attack itself, it believes it would have mitigated some of the risks posed to the affected individuals. Takeaway: There are free, open-source encryption solutions are available. Alternatively more sophisticated paid for solutions are available for those handling more sensitive data. Also it’s worth checking you’re adequately protecting archives to the same standard as other systems. 4) Retention The enforcement notice reveals some ‘court bundles’ affected in the attack were being stored beyond the set 7-year retention period. Takeaway: This again exposes a common issue for many organisations. Too often data is held longer than is necessary, which can increase the scale & impact of a data breach. Our comprehensive Data Retention Guidance is packed with useful tools, templates and advice on tackling how long you keep personal data for. What else can organisations do? Clearly, we can’t be complacent and shouldn’t cut corners. We need to take all appropriate steps to protect personal data and avoid common pitfalls. Here are some useful resources to help you: Cyber Essentials – The enforcement action notes that prior to the attack Tuckers was aware its security was not at the level of the NCSC Cyber Essentials. In October 2019, it was assessed against the ‘Cyber Essentials’ criteria and failed to meet crucial aspects of its requirements. Cyber Essentials was launched in 2014 and is an information security assurance scheme operated by the National Cyber Security Centre. It helps to make sure you have the basis controls in place to protect networks/systems from threats. Cyber Essentials – gain peace of mind with your information security National Cyber Security Centre ICO Ransomware guidance – The ICO has recently published guidance which covers security policies, access controls, vulnerability management, detection capabilities and much more. DPN Data Breach Guide – Our practical guide covers how to be prepared, how to assess the risk and how to decide whether a breach should be reported or not. You can read the full details of this case here: ICO Enforcement Action – Tuckers Solicitors LLP

Data Breach Guide How to handle a data breach Our practical, easy-to-read guide takes you through how to be prepared for a breach, and how to assess the risks should you suffer a personal data breach. This data breach guide covers: Common causes of breaches Data incident and breach planning How to assess the risks Breach reporting checklists How technology can help