Data Breach! Are you ready should the worst happen?
We’ve all seen the headlines, data breaches are weekly if not daily news. Regulators across Europe are busy wading through the swathe of breach notifications they’ve received, under the GDPR regime, and are starting to take action.
Many organisations will have spent thousands on implementing measures to prevent a breach occurring in the first place, and many will have robust, tried and tested incident plans in place. But what if you don’t?
What is a personal data breach? A little reminder…
A personal data breach is about more than just losing personal data, it’s a breach of security leading to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. GDPR, Article 4.12
The reasons why personal data is breached vary widely but generally the causes fall into three categories:
- The actions of people inside the business
- The actions of people outside of the business
- Systems failure
Personal data breaches can be categorised under the following three information security principles:
- “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data
- “Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data
- “Integrity breach” – where there is an unauthorised or accidental alteration of personal data
A breach may involve one, a combination or all of the above.
Whether it’s caused by a cyber-attack, malicious insiders, software vulnerabilities, loss of an unencrypted device, data sent to the wrong recipient and so on, a personal data breach has the potential to seriously damage your customers’ trust and public perception.
Yes, the potential fines could be large, but the commercial impacts through loss of trust and customer share, could, and have, resulted in significant ongoing financial losses for organisations. More importantly, the long-term harm for individuals whose data has been breached could be significant.
Preventing a breach in the first place
So, what do organisations need to do to try to prevent a breach? One of the core data protection principles requires organisations to make sure they have in place appropriate technical and organisational measures (TOMs) to keep individuals’ personal data safe. These should be appropriate to the risk your processing represents.
Technical Measures
Ensuring devices, networks and servers are sufficiently protected is vital regardless of the size of your organisation. Firewalls, anti-virus applications and malware protection are all must haves.
Also crucial is having up to date software and operating systems, and installing updates and patches as quickly as possible – previous cases have shown these can be a vulnerability.
Of course, the difficult part here is that there’s a huge array of security measures and technical options in the market and the onus is on the organisation to chose what to invest in. Added to that, is the fact that the security environment is moving fast and there’s a need to adapt to ever evolving threats.
Where the ICO have investigated breaches, it has taken account of the measures the organisation has put in place and made a judgement on whether the organisation has done enough.
Following the cyber-attack experienced by TalkTalk back in 2015, the Information Commissioner, Elizabeth Denham commented;
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customers information. It did not and we have taken action”.
Organisational measures
Alongside technical measures, any Regulator will be looking to assess the equally important organisational measures put in place. These will depend on the size and complexity of your organisation. Such measures could include (but are not limited to);
- Information Security Policies
- Risk Assessment
- Data Protection Policies and Procedures
- Supplier Due Diligence
- Business Continuity Plan
- Management Information & Reporting
- Reviews & Audits
- Training & Awareness
The last point should not be overlooked. How and when employees were last trained may well be one of the first questions the ICO asks when starting an investigation. At the 2019 ICO Data Protection Practitioners Conference, the Regulator stressed,
“Staff training is absolutely key. We will nearly always ask about this and will expect to see evidence that it has been delivered to an appropriate standard.”
Armed with a good understanding of the risks, staff can also perform a critical role in identifying breaches quickly once they’ve occurred. Internal processes should also be in place to ensure staff know how and who to escalate a potential incident to (usually the DPO, or the individual or team carrying out that function).
One of the findings of the investigation into the Heathrow Airport data breach in October 2017, which was due to a lost memory stick, was inadequate training. The ICO found Heathrow Airport guilty of “failing to ensure that the personal data held on its network was properly secured” and for “failing to provide any, or any sufficient training in relation to data protection and information security.”
Do you have a plan?
A clear and comprehensive Data Incident Plan is invaluable, and Regulators would expect to see evidence of one.
Any plan should cover which key members of staff will be in the incident team and should consider engagement with key stakeholders – both internal and external. In brief, your incident plan should cover the following core points;
- Discovery
- Rectification
- Analysis & Risk Assessment
- Evaluation
- Decision
- Response
- Recording
Furthermore, developing in advance a customer-focused communication strategy, will save valuable time in the event that you decide your breach reaches the threshold for customers to be notified.
The ICO’s Guidance on Data Breaches provides a helpful checklist for preparing and responding to a breach.
To notify or not to notify, that is the question…
Whether to report a personal data breach to the ICO is a subjective judgement, there isn’t a black and white rule. What makes this particularly challenging is the time constraints, as notification needs to be within 72 hours of becoming aware of a breach which you have assessed as likely to represent a risk to individuals.
It may also be necessary to notify any individuals affected, ‘without undue delay’ if the breach is considered likely to result in a high risk of adversely affecting their rights and freedoms.
To help make the judgement, the organisation needs to consider the likelihood and severity of the risk that the breach has created to the rights and freedoms of individuals (these could be customers, employees, patients, students etc).
If it’s likely there’s a risk, the organisation must notify the ICO. If it’s unlikely to have caused a risk, then it doesn’t need to be reported. It’s essential the incident is fully documented whether it is notified to the ICO or not – as the decision could be challenged later and you will need to be able to justify it.
Your risk assessment needs to consider the potential negative consequences for individuals. Recital 85 of GDPR states:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
There is no one size fits all answer to the risk assessment question. Each breach will need to be considered on a case by case basis, taking into account all the relevant factors. Consequences of a data breach can include emotional distress and/or physical and material damage.
Some may only cause inconvenience for the data subject, others could have a significant detrimental effect on the individual(s) whose personal data has been compromised. You should ensure you have appropriate methodology in place for evaluating the risk.
It’s also worth becoming familiar with the ICO’s data breach notification form – you could run tests on how you would complete this in different scenarios.
Debbie McElhill, September 2019
Our experience team can develop or review your incident procedures, run simulations and provide rapid support in the event of a suspected or actual personal data breach. Contact us
Related content:
EDPB Guidance on Personal Data Breach Notification
Personal Data Breaches – to notify or not to notify?
Webinar recording – Handling data incidents and breaches
Article – Are humans are biggest breach risk?
Checklist – 10 point checklist for data breach risk assessments
Article – Personal data breaches: to notify, or not to notify?
Copyright DPN
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.