What to do in the event of a data breach

We are increasingly reliant on our computers and IT systems to run organisations and enterprises, in fact it is hard to imagine how we might manage without them.  Along with the positive contribution that IT brings to the work we do it also brings a vulnerability. A loss of the system or the data it contains will bring a business operation to a standstill very quickly.

Given the importance of IT it is vital that when looking at potential threats and contingency planning the loss of the IT system or data it contains must be one of the risks considered and planned for.

The loss of IT could be a failure of the system or, increasingly likely today, a deliberate attack to disable the functionality of the system, capture confidential or sensitive information or demand money for the return of data through a ransomware attack. The loss of confidential data held by an organisation is a serious incident and must be reported to the Information Commissioner’s Office (ICO) within 24 hours of becoming aware of the essential facts of the breach.

According to the Information Commissioner’s Office a personal data breach is:

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

One of the 5 key principles of incident response is meaningful and visible action however the challenge in responding to the loss of data is that the initial loss and the subsequent actions are all but invisible and this presents two major challenges.

Firstly, it is very tempting to keep the breach quiet and it is not mandatory to inform those affected immediately. Clearly something has gone wrong and it is tempting to think that the fewer people that know about it the better from a reputation management perspective. You might think that delaying any communication will buy you more time to deal with the breach and fix it, so people are told when a fix is in place and the problem has gone away.

I believe that thinking is misguided as engaging quickly with those affected is indicative of a transparent organisation and is the “right” thing to do. Several organisations have fallen foul of telling people after the event and that hasn’t gone down well.  Communication will be very important in effective response to the situation and whilst you may not wish to advertise the breach it will enter the public domain at some point and you will have to deal with that. Tell your bad news as soon as you can.

The second challenge is that given a lack of visibility of the incident it is hard to communicate the sense of urgency and the actions taking place in response. There will be much happening to deal with the situation, the trouble is that all of it is likely to be behind the scenes. There are no dramatic pictures of firefighters with data breaches! Nevertheless much will be going on and it is important those actions are relayed to stakeholders.

From a communication point of view what needs to be done?

Alongside telling the ICO, if the breach is likely to adversely affect the personal data or privacy of your subscribers or users, you need to notify them of the breach without unnecessary delay. The method of informing them will vary from organisation to organisation so it could be by postal letter or by email notification asking them to log onto a portal.  The information might also be posted onto a website which clearly puts it into the public domain.

The basic information you will need to provide includes:

 ·         A name and contact details, the author should be someone at the head of the organisation

•    The estimated date of the breach and a summary of the incident

•    The nature and content of the personal data that has been compromised or lost

•    The likely impact on the individual and what they can do to mitigate any possible     adverse impact

•    Any measures you have taken to address the breach – make real and bring to life the “invisible” actions being taken that the reader cannot see

A template should be created ahead of any incident so that should a breach occur it is a case of filling in the blanks rather than starting from scratch. Alongside the communication to those affected a reactive media statement should be prepared and a briefing for your own staff as to what is happening. Both of these communications should identify a planned and managed response, describe the range of actions being taken and very importantly that you are engaging with those affected and you understand the impact upon them.

In this way your communications link into operational response and meet the 5 key principles of effective crisis communication.  More information is available on the ICO website www.ico.org.uk