No company, big or small, is immune to a data breach. It’s easy to think as a smaller business, that a data breach will only happen to larger business. Yet studies show that in fact, nearly 3 out of 4 of data breaches were at companies with 100 or fewer employees.
That’s why it’s essential for organisations of any size to have a data breach response policy. A response policy should outline how your company will respond in the event of a data breach, and lay out an action plan that will be used to investigate potential breaches to mitigate damage should a breach occur.
What is a data breach?
A data breach is an incident where personal data is accessed and/or stolen by an unauthorised individual. This could include such things as national insurance numbers, medical information as well as biometric records and of course bank account details.
A breach or a suspected breach of personal information must be immediately investigated. Since all personal information is of a highly confidential nature, only those who need to be informed of the data breach should be.
There are many reasons you should put an action plan in place, including protecting your clients and your reputation as well as legal reasons such as abiding by the data protection act.
The following four elements should be included in any breach management plan:
1.Containment and Recovery
If a breach were to occur, you will firstly need to:
- Establish procedures to isolate and contain the breach in order to limit the damage.
- Consider whether there is anything you can do to recover any of the breached data or equipment.
- Once basic information about the breach has been established, management should make a record of events and people involved.
- Any discoveries made over the course of the investigation should be noted to determine whether data has been stolen, and how they can learn from this breach.
2. Assessment of the Risks
Once a breach has been verified and contained, you should then perform a risk assessment and note:
- Sensitivity of the personal information lost (customer contact information alone may present a smaller threat than financial information).
- Amount of personal information lost and number of individuals affected.
- Likelihood personal information is usable or may cause harm.
- Likelihood the personal information was intentionally targeted (increases chance for fraudulent use).
- Strength and effectiveness of security technologies protecting personal information (eg encrypted personal information on a stolen laptop, which is technically stolen personal information, will be much more difficult for a criminal to access).
- Ability of your company to mitigate the risk of harm.
3. Notification of the Breach
If a breach occurs you have a responsibility to notify individuals. These individuals could be the Information Commissioner’s Office (ICO) or a regulatory body – depending on your industry.
Any information found in the initial risk assessment should be turned over to the appropriate legal professional of your company who will review the situation to determine if, and to what extent, notification is required. Notification should ensure the affected individuals will receive actual notice of the incident, which should be given in good time – but make sure the facts of the breach are well established before proceeding.
If you need to notify these individuals, you should:
- Only notify those that are legally required to be notified should be informed of the breach. Notifying a broad base when it is not required could raise unnecessary concern in those who have not been affected.
- A physical copy of the notification should always be mailed to the affected parties no matter what other notification methods are used (e.g. phone or email).
- A help line should also be established as a resource for those who have additional questions about how the breach will affect them.
4. Evaluation and Response
It is important for you to investigate the causes of the breach and the effectiveness of your response to it. Identify and review your existing policies and procedures to see where improvements can be made to prevent future data breaches.
For more information on how to respond to a data breach, please visit the Information Commissioner’s Office at www.ico.gov.uk.
Insurance is Important
Chances are your company doesn’t have funds saved to pay for data breach remediation. Fortunately, there are insurance options available to make recovery easier. Cyber liability insurance policies can cover the cost of notifying customers and replace lost income as a result of a data breach. In addition, policies can cover legal expenses a business may be required to pay as a result of the breach.
Source: Zywave – Cyber Risks and Liabilities: Understanding and responding to a data breach