Security/Data breaches
In the case where the breach involves personal data, the relevant supervisory authority must be notified as soon as possible (and within 72 hours) of any data breaches that might cause public concern or where there is a risk of harm to a group of affected individuals.
The notification should include the following information, where available:
• Extent of the data breach
• Type and volume of personal data involved
• Cause or suspected cause of the breach
• Whether the breach has been rectified
• Measures and processes that the organisation had put in place at the time of the breach
• Information on whether affected individuals of the data breach were notified and if not, when the organisation intends to do so
Having a robust Policy and Plan should help manage personal data breaches effectively. A data breach generally refers to the unauthorised access, modification and transfer of information that may include corporate and / or personal data.
All employees have an obligation to report actual or potential data protection compliance failures.
•Investigate the failure and take remedial steps if necessary
•Maintain a register of compliance failures
•Notify a Supervisory Authority of any compliance failures that are material either in their own right or as part of a pattern of failures
Have a plan and communicate how to respond to a Data Breach, e.g.:
1. Confirm the Breach
2. Contain the Breach
3. Assess Risks and Impact
4. Report the Incident
5. Evaluate the Response & Recovery to Prevent Future Breaches
1. Confirm the breach:
The Data Breach Team should act as soon as it is aware of a data breach. Where possible, it should first confirm that the data breach has occurred. It may make sense for the Data Breach Team to proceed to the 'Contain the Breach' step on the basis of an unconfirmed reported data breach, depending on the likelihood of the severity of risk.
2. Contain the breach:
The Data Breach Team should consider the following measures to Contain the Breach, where applicable:
• Disconnect the compromised system that led to the data breach.
• Establish whether steps can be taken to recover lost data and limit any damage caused by
the breach. (e.g. remotely disabling / wiping a lost notebook containing personal data of
individuals.)
• Prevent further unauthorised access to the system (where applicable).
• Reset passwords if accounts and / or passwords have been compromised.
• Isolate the causes of the data breach in the system, and where applicable, change the
access rights to the compromised system and remove external connections to the system.
3. Asses risks and impact:
Knowing the risks and impact of data breaches will help determine whether there could be serious consequences to affected individuals, as well as the steps necessary to notify the individual affected.
Risk and Impact on Individuals:
• How many people were affected? Whose personal data had been breached?
• Does the personal data belong to employees, customers, or minors? Different people will face varying levels of risk as a result of a loss of personal data.
• What types of personal data were involved? This will help to ascertain if there is risk to reputation, identity theft, safety and/or financial loss of affected individuals.
• Any additional measures in place to minimise the impact of a data breach? E.g. a lost device protected by a strong password and encryption could reduce the impact of a data breach.
Risk and Impact on Organisations:
• What caused the data breach? Determining how the breach occurred (through theft, accident, unauthorised access, etc.) will help identify immediate steps to take to contain the breach and restore public confidence in a product or service.
• Who might gain access to the compromised personal data? This will ascertain how the compromised data could be used. In particular, affected individuals must be notified if personal data is acquired by an unauthorised person.
• When and how often did the breach occur?
Examining this will help better understand the nature of the breach (e.g. malicious or accidental).
• Will compromised data affect transactions with any other third parties? Determining this will help identify if other organisations need to be notified.
4. Report the incident:
An organisation is legally required to notify affected individuals if their personal data has been breached and if the breach has had a material impact on the individual(s) rights and freedoms. This will encourage individuals to take preventive measures to reduce the impact of the data breach.
Who to Notify:
• Notify individuals whose personal data have been compromised.
• Notify other third parties such as banks, credit card companies or the police, where relevant.
• The relevant authorities (e.g. police) should be notified if criminal activity is suspected and evidence for investigation should be preserved (e.g. hacking, theft or unauthorised system access by an employee.)
When to Notify:
• Notify affected individuals immediately if a data breach involves sensitive personal data. This allows them to take necessary actions early to avoid potential abuse of the compromised data.
• Notify affected individuals when the data breach is resolved.
How to Notify:
• Use the most effective ways to reach out to affected individuals, taking into consideration the urgency of the situation and number of individuals affected (e.g. media releases, social media, mobile messaging, SMS, e-mails, telephone calls).
• Notifications should be simple to understand, specific, and provide clear instructions on what individuals can do to protect themselves.
What to Notify:
How and when the data breach occurred, and the types of personal data involved in the data breach.
• What an organisation has done or will be doing in response to the risks brought about by the data breach.
• Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused.
• Contact details and how affected individuals can reach the organisation for further information or assistance (e.g. helpline numbers, e-mail addresses or website).
5. Evaluate the response & recovery to prevent future breaches:
After steps have been taken to resolve the data breach, review the cause of the breach and evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from occurring, and where applicable put a stop to practices which led to the data breach.
Operational and Policy Related Issues:
• Were audits regularly conducted on both physical and technology-related security measures?
• Are there processes that can be streamlined or introduced to limit the damage if future breaches happen or to prevent a relapse?
• Were there weaknesses in existing security measures such as the use of outdated software and protection measures, or weaknesses in the use of portable storage devices, networking, or connectivity to the Internet?
• Were the methods for accessing and transmitting personal data sufficiently secure, e.g. access limited to authorised employees only?
• Should support services from external parties be enhanced, such as vendors and partners, to better protect personal data?
• Were the responsibilities of vendors and partners clearly defined in relation to the handling of personal data?
• Is there a need to develop new data-breach scenarios?
Resource Related Issues:
• Were enough resources allocated to manage the data breach?
• Should external resources be engaged to better manage such incidents?
• Were key employees given sufficient resources to manage the incident?
Employee Related Issues:
• Were employees aware of security related issues?
• Was training provided on personal data protection matters and incident management skills?
• Were employees informed of the data breach and the learning points from the incident?
Management Related Issues:
• How was management involved in the management of the data breach?
• Was there a clear line of responsibility and communication during the management of the data breach?
Compliance:
A policy should be included within the Internal Audit Programme, and compliance checks will take place to review the effectiveness of its implementation.
Exceptions:
In the following exceptional cases compliance with some parts of policy may be relaxed. The parts that may be relaxed will depend on the circumstances of the incident in question.
• If complying with the policy would lead to physical harm or injury to an employee
• If complying with the policy would cause significant damage to the company’s reputation or ability to operate
• If an emergency arises
In such cases, the employee concerned must take the following action:
• Ensure that a manager is aware of the situation and the action to be taken
• Ensure that the situation and the actions taken are recorded
• Ensure that the situation is reported to the Information Security Manager as soon as possible.
In addition, the Information Security Team maintains a list of known exceptions and non-conformities to the policy. This list contains:
• Known breaches that are in the process of being rectified
• Minor breaches that are not considered to be worth rectifying
• Any situations to which the policy is not considered applicable.
Non-compliance is defined as any one or more of the following:
Any breach of policy statements or controls listed in policy
• Any breach of policy statements or controls listed in policy
• Unauthorised disclosure or viewing of confidential data or information
• Unauthorised changes to information, software or operating systems
• The use of hardware, software, communication networks and equipment, data or information for illicit purposes which may include violations of any law, regulation or reporting requirements of any law enforcement agency or government body
• The exposure to actual or potential monetary loss through any compromise of security
Good links for reference:
https://www.ncsc.gov.uk/guidance/10-steps-incident-management
Experian were hacked. This advice is from real-life experience https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information
Background
Under the GDPR, the DPO is legally obliged to notify their Supervisory Authority within 72 hours of the data breach having been identified.
Individuals must be notified if adverse impact is determined. In addition, notify any affected clients without undue delay after becoming aware of a personal data breach.If anonymised data is breached, the subject does not have to be notified. Specifically, the notice to data subjects is not required if the data controller has implemented techniques like encryption along with adequate technical and organisational protection measures to the personal data affected by the data breach. The nominated individuals or team should immediately be alerted of any confirmed or suspected data breach.