This blog has been updated to reflect industry updates. Originally published 25 October 2018.
There is a lot you need to do after you discover a data breach, so it’s a good idea to keep a checklist. This will help you keep track of your progress during a hectic few days and ensure that you’ve done everything necessary to comply with the EU GDPR (General Data Protection Regulation).
We recommend using a list such as this:
The first thing you need to do is determine the scale of the breach. That means finding out the types of data involved (names, email addresses, financial records, etc.) and the number of records that have been compromised.
Depending on how the incident happened and how you became aware of it, this process can be relatively straightforward. For example, a third party might contact you to say that they’ve found a database of your customers’ information on the dark web. In that case, you have all the information you need immediately.
Alternatively, you might find out that a crook has sent phishing emails to your staff. You should therefore ask your employees to let you know if they’ve fallen for this scam. It will then be a case of determining what information the crook had access to once they’d lured the employee.
If you are having trouble determining either the types of data or the number of records involved, we recommend erring on the side of caution. It’s always better to issue an update saying ‘it’s not as bad as we thought’ than vice versa.
You must find out how your data was exposed and isolate the areas affected as soon as possible. For example, if a malicious insider was leaking information, you should cut off their access to the organisation both physically and via your network. If an application vulnerability is being exploited, you should take the application offline.
The next step is to implement your business continuity plan. This ensures that your mission-critical functions continue to operate during the disruption.
Determine whether the breach needs to be reported
With the breach under control, you can take a moment to assess the damage and work out whether you need to notify the ICO (Information Commissioner’s Office) and affected individuals. Breaches need to be reported to the ICO if they “pose a risk to the rights and freedoms of natural living persons” and to individuals if they pose a “high risk”.
Risk generally refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
It’s worth adding that the GDPR mandates that you keep a record of all personal data breaches, so you need to make a note of your findings regardless of whether the incident needs to be reported.
Notify the ICO
You must notify the ICO of a data breach within 72 hours of becoming aware of it. You might not have completed the other items on your checklist by this time, but the ICO requests that you document your response so far, so it’s important to have at least started them.
You will also need a lot of the information you’ve gathered to complete your report. The notification must contain:
- Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
- Assessment of affected data: Ascertain the categories of personal data and the number of records concerned.
- Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
- Report on staff training and awareness: If the breach was a result of human error, did the employee(s) involved receive data protection training in the past two years? Provide details of your staff awareness training programme.
- Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or plan to take, to mitigate the damage?
- Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
Notify affected individuals
This step only applies if you are required (or wish) to contact affected individuals.
At the very least, you are expected to issue a statement to everybody affected to let them know that a breach has occurred. However, you will be more likely to maintain, or even improve, your reputation by taking extra steps to help victims. In most cases, it’s beneficial to set up a web page and helpline that individuals can use to find out more and have their questions answered. You should have a plan for this already, and simply be finalising it or putting it into practice at this stage.
Some organisations also offer complementary subscriptions to credit monitoring services. This seems like a nice gesture (unless you use Equifax’s service), but cyber security experts such as Brian Krebs believe that the services aren’t useful. You might therefore be better off using the money to improve your defence and response capabilities.
Sound like too much?
Sign up to our data breach support service and we’ll help you deal with the breach compliantly by determining what happened, reporting to the ICO where needed and reporting to data subjects if needed.