What to do in the event of a data breach
.JPG)
We are
increasingly reliant on our computers and IT systems to run organisations and
enterprises, in fact it is hard to imagine how we might manage without them. Along with the positive contribution that IT
brings to the work we do it also brings a vulnerability. A loss of the system
or the data it contains will bring a business operation to a standstill very
quickly.
Given
the importance of IT it is vital that when looking at potential threats and contingency
planning the loss of the IT system or data it contains must be one of the risks
considered and planned for.
The loss of IT
could be a failure of the system or, increasingly likely today, a deliberate
attack to disable the functionality of the system, capture confidential or
sensitive information or demand money for the return of data through a
ransomware attack. The loss of confidential data held by an organisation is a serious
incident and must be reported to the Information Commissioner’s Office (ICO) within
24 hours of becoming aware of the essential facts of the breach.
According to the
Information Commissioner’s Office a personal data breach is:
“A
breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed in connection with the provision of
a public electronic communications service”.
One of the 5 key
principles of incident response is meaningful and visible action however the challenge
in responding to the loss of data is that the initial loss and the subsequent
actions are all but invisible and this presents two major challenges.
Firstly, it is
very tempting to keep the breach quiet and it is not mandatory to inform those
affected immediately. Clearly something has gone wrong and it is tempting to
think that the fewer people that know about it the better from a reputation
management perspective. You might think that delaying any communication will
buy you more time to deal with the breach and fix it, so people are told when a
fix is in place and the problem has gone away.
I believe that
thinking is misguided as engaging quickly with those affected is indicative of
a transparent organisation and is the “right” thing to do. Several
organisations have fallen foul of telling people after the event and that
hasn’t gone down well. Communication
will be very important in effective response to the situation and whilst you
may not wish to advertise the breach it will enter the public domain at some
point and you will have to deal with that. Tell your bad news as soon as you can.
The second
challenge is that given a lack of visibility of the incident it is hard to
communicate the sense of urgency and the actions taking place in response.
There will be much happening to deal with the situation, the trouble is that
all of it is likely to be behind the scenes. There are no dramatic pictures of
firefighters with data breaches! Nevertheless much will be going on and it is important those actions are relayed to stakeholders.
From
a communication point of view what needs to be done?
Alongside telling
the ICO, if the breach is likely to adversely affect the personal data or
privacy of your subscribers or users, you need to notify them of the breach
without unnecessary delay. The method of informing them will vary from
organisation to organisation so it could be by postal letter or by email
notification asking them to log onto a portal.
The information might also be posted onto a website which clearly puts
it into the public domain.
The basic
information you will need to provide includes:
·
A name and contact details, the author should
be someone at the head of the organisation
• The estimated date of the breach and a
summary of the incident
• The nature and content of the personal data
that has been compromised or lost
• The likely impact on the individual and what
they can do to mitigate any possible adverse impact
• Any measures you have taken to address the
breach – make real and bring to life the “invisible” actions being taken that
the reader cannot see
A template should
be created ahead of any incident so that should a breach occur it is a case of
filling in the blanks rather than starting from scratch. Alongside the
communication to those affected a reactive media statement should be prepared
and a briefing for your own staff as to what is happening. Both of these
communications should identify a planned and managed response, describe the
range of actions being taken and very importantly that you are engaging with
those affected and you understand the impact upon them.
In this way your
communications link into operational response and meet the 5 key principles of
effective crisis communication. More
information is available on the ICO website www.ico.org.uk