Data Breach! Are you ready should the worst happen?
We’ve all seen the headlines, data breaches are weekly if not daily news. Regulators across Europe are busy wading through the swathe of breach notifications they’ve received, under the GDPR regime, and are starting to take action. Notably in the UK, this summer the Information Commissioner’s Office (ICO) issued a ‘Notice of Intention’ to fine both British Airways and Marriott – the amounts are eye-watering, but we’ll have to wait and see how these cases pan out.
Many organisations will have spent thousands on implementing measures to prevent a breach occurring in the first place, and many will have robust, tried and tested incident plans in place. But what if you don’t?
What is a personal data breach? A little reminder…
A personal data breach is about more than just losing personal data, it’s a breach of security leading to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. GDPR, Article 4.12
The reasons why personal data is breached vary widely but generally the causes fall into three categories:
- The actions of people inside the business
- The actions of people outside of the business
- Systems failure
Personal data breaches can be categorised under the following three information security principles:
- “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data
- “Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data
- “Integrity breach” – where there is an unauthorised or accidental alteration of personal data
A breach may involve one, a combination or all of the above.
Whether it’s caused by a cyber-attack, malicious insiders, software vulnerabilities, loss of an unencrypted device, data sent to the wrong recipient and so on, a personal data breach has the potential to seriously damage your customers’ trust and public perception. Yes, the potential fines could be large, but the commercial impacts through loss of trust and customer share, could, and have, resulted in significant ongoing financial losses for organisations. More importantly, the long-term harm for individuals whose data has been breached could be significant.
Preventing a breach in the first place
So, what do organisations need to do to try to prevent a breach? The sixth principle of GDPR relating to integrity and confidentiality (security), requires organisations to ensure they have in place appropriate technical and organisational measures (TOMs) to keep individuals’ personal data safe. These should be appropriate to the risk your processing represents.
Ensuring devices, networks and servers are sufficiently protected is vital regardless of the size of your organisation. Firewalls, anti-virus applications and malware protection are all must haves. Also crucial is having up to date software and operating systems, and installing updates and patches as quickly as possible – previous cases have shown these can be a vulnerability.
Of course, the difficult part here is that there’s a huge array of security measures and technical options in the market and the onus is on the organisation to chose what to invest in. Added to that, is the fact that the security environment is moving fast and there’s a need to adapt to ever evolving threats.
Where the ICO have investigated breaches, it has taken account of the measures the organisation has put in place and made a judgement on whether the organisation has done enough.
Following the cyber-attack experienced by TalkTalk back in 2015, The Information Commissioner, Elizabeth Denham said, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customers information. It did not and we have taken action”.
Alongside technical measures, any Regulator will be looking to assess the equally important organisational measures put in place. These will depend on the size and complexity of your organisation. Such measures could include (but are not limited to);
- Information Security Policies
- Risk Assessment
- Data Protection Policies and Procedures
- Supplier Due Diligence
- Business Continuity Plan
- Management Information & Reporting
- Reviews & Audits
- Training & Awareness
The last point should not be overlooked. How and when employees were last trained may well be one of the first questions the ICO asks when starting an investigation. At the 2019 ICO Data Protection Practitioners Conference, the Regulator stressed, “Staff training is absolutely key. We will nearly always ask about this and will expect to see evidence that it has been delivered to an appropriate standard.”
Armed with a good understanding of the risks, staff can also perform a critical role in identifying breaches quickly once they’ve occurred. Internal processes should also be in place to ensure staff know how and who to escalate a potential incident to (usually the DPO, or the individual or team carrying out that function).
One of the findings of the investigation into the Heathrow Airport data breach in October 2017, which was due to a lost memory stick, was inadequate training. The ICO found Heathrow Airport guilty of “failing to ensure that the personal data held on its network was properly secured” and for “failing to provide any, or any sufficient training in relation to data protection and information security.”
Do you have a plan?
A clear and comprehensive Data Incident Plan is invaluable, and Regulators would expect to see evidence of one.
Any plan should cover which key members of staff will be in the incident team and should consider engagement with key stakeholders – both internal and external. In brief, your incident plan should cover the following core points;
- Analysis & Risk Assessment
Furthermore, developing in advance a customer-focused communication strategy, will save valuable time in the event that you decide your breach reaches the threshold for customers to be notified.
The ICO’s Guidance on Data Breaches provides a helpful checklist for preparing and responding to a breach.
To notify or not to notify, that is the question…
Whether to report a personal data breach to the ICO is a subjective judgement, there isn’t a black and white rule. What makes this particularly challenging is the time constraints, as notification needs to be within 72 hours of becoming aware of a breach which you have assessed as likely to represent a risk to individuals.
It may also be necessary to notify any individuals affected, ‘without undue delay’ if the breach is considered likely to result in a high risk of adversely affecting their rights and freedoms.
To help make the judgement, the organisation needs to consider the likelihood and severity of the risk that the breach has created to the rights and freedoms of individuals (these could be customers, employees, patients, students etc). If it’s likely there’s a risk, the organisation must notify the ICO. If it’s unlikely to have caused a risk, then it doesn’t need to be reported. It’s essential that the incident is fully documented whether it is notified to the ICO or not – as the decision could be challenged later and you will need to be able to justify it.
Your risk assessment needs to consider the potential negative consequences for individuals. Recital 85 of GDPR states:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
There is no one size fits all answer to the risk assessment question. Each breach will need to be considered on a case by case basis, taking into account all the relevant factors. Consequences of a data breach can include emotional distress and/or physical and material damage. Some may only cause inconvenience for the data subject, others could have a significant detrimental effect on the individual(s) whose personal data has been compromised. You should ensure you have appropriate methodology in place for evaluating the risk.
It’s also worth becoming familiar with the ICO’s data breach notification form – you could run tests on how you would complete this in different scenarios.
The DPN has published Personal Data Breaches – to notify or not to notify? Plus there’s detailed EU level Guidance on Personal Data Breach Notification
Notified data breaches since GDPR
In its report, “GDPR – one year on”, the ICO says it received notifications of 14,000 personal data breaches from 25 May 2018 to 1 May 2019. This is a significant increase on the 3,300 or so that were reported in the year from 1 April 2017.
Over 12,000 of those cases were closed during the year and only 17.5% required further action to be taken by the organisation. Less than 0.5% were the subject of an ICO imposed improvement plan or fine. Clearly the assessment of risk to the individuals’ rights and freedoms presents a judgement challenge for many organisations with the vast majority requiring no further action. This suggests some over reporting with organisations erring on the side of caution when assessing the risks.
Finally, a reflection from the past….
At our latest Data Briefing, Robert Bond, a partner at Bristows LLP cited the 1860s case of Rylands vs Fletcher. Rylands employed contractors to build a reservoir. The contractors discovered a series of old coal shafts and chose to continue work rather than properly blocking them. The result was Rylands’ reservoir burst and flooded a neighbouring mine, run by Fletcher. This lead to the development of the “Rule in Rylands v Fletcher” that a person who for their own purposes collects and keeps anything that may do mischief if it escapes, must keep it in at their peril, and if they do not do so is answerable for all the damage which is a natural consequence of its escape. More than 150 years later, perhaps it could be data that escapes and causes mischief?
Debbie McElhill, September 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.