Imagine that you’ve experienced a data breach. Scary, right? Maybe some customer email addresses were revealed to the wrong people, a work device has been left on the train, or your organisation has faced a malicious data-poaching attack. Whatever has happened, it’s left you in a state of panic and you’re trying to figure out what to do.
Slow your roll, though, because while a data breach is certainly a pressing matter, your remedial steps need to be chosen very carefully.
We’ve previously covered a step-by-step guide to appropriately responding to a data breach, and published an article about some of the leading causes of data breaches (spoiler alert: human error plays a pretty huge role). However, as crucial as it is to know what to do, it’s almost equally important to be aware of what you shouldn’t do.
To help you better understand this, here are some of the “do”s and “don’t”s of handling a data breach.
DO report the data breach within 72 hours
Once you’ve been made aware of the breach, the clock starts ticking. Unless the data breach “is unlikely to result in a risk to the rights and freedoms of natural persons” (see Article 33 of the GDPR), then the Information Commissioner’s Office (ICO) needs to know about it. Report it to them without undue delay, no later than 72 hours following the discovery of the breach.
If you don’t yet have all the details, that’s fine! More information can always be given later. For now, the important thing is that the ICO is notified within those 72 hours, with all the details you have available to you. Time is of the essence.
DON’T be clumsy in your communication
When a data breach strikes that warrants communication of the event with the data subjects (see Article 34 of the GDPR), get ahead of it and let people know. It’s best to communicate about the incident sooner rather than later if you want the public to retain their trust in you. After all, it’s best that people hear it from you. Not much would sully trust in a company faster than finding out they’d experienced a data breach and kept it quiet.
However, this doesn’t mean you should rush into putting out a quick, messy statement just to get the message out there. Take a little time to determine the details of the event, who needs to know, and how much you need to say. Decide on a baseline statement for all staff to follow, otherwise inconsistent messaging could make your operations appear chaotic and out of control. It wouldn’t be ideal to have one staff member referring to “technical difficulties” while another is warning customers that there’s been a disaster. Be consistent, honest, and accurate. Above all, make sure the privacy of your customers and staff is your number one priority.
DO thoroughly investigate the data breach
It’s not enough to simply “clean up” the problem, dust off your hands, and say “crisis averted”. If you find a puddle in the middle of your floor, you don’t just mop it up and go about your day – you search for the leak in the ceiling and get it patched up so that you won’t come home tomorrow to more drenched hardwood.
So put on your Sherlock Holmes hat and root out the cause. How did this breach happen? Was it a weakness in security? An employee’s mistake? To prevent another incident from occurring in the future, you must track down what led to the breach. Only then, and once you’ve made any mitigations to repair these vulnerabilities, can you sleep soundly knowing that another breach is unlikely any time soon.
DON’T forget to document everything
While you investigate the breach, you mustn’t neglect to keep a record of your findings. How much data was involved and what kind of data was it? Document it. How many people were affected? Document it. When did it happen? Don’t worry about that. Only joking, of course. Document it.
Interview anybody involved in the incident and document their responses. Take note of the systems that were affected, any individuals that were responsible for the breach, and what remedial action has been taken or proposed. Whether the breach needs to be reported to the ICO or not, it’s still required by law that as much information about the event is documented as possible. Gather the facts and get them on the page.
DO minimise the damage if possible
If any of the data is recoverable, then do whatever you can to recover it. For example, can any personal information that was mistakenly sent to the incorrect recipient be recalled? Has the data been misplaced and could be tracked down?
There are numerous factors that could impact how much information, if any, can be recovered. Is the data backed up, for instance? Is the loss permanent or just temporary? Do you have remote access? What was the root cause of the breach? By understanding as much about the incident as possible, you can take the steps to minimise the damage done and remediate the breach – whether this means further staff training or strengthened security measures.
DON’T jump into a rushed remedial plan
Speaking of remediation, one thing you won’t want to do is panic and make up a plan as you go. Ideally, your organisation will have a strong understanding of exactly what to do in this situation. If caught unprepared, you can fall into the trap of improvising a not-very-good one. At the time, it may seem sensible to leap into action and start putting out fires, but believe it or not, scrambling around and making up a plan on the spot can hinder more than it will help.
For a high risk or catastrophic breach, such as a ransomware attack, your organisation should have a business continuity plan in place that you can refer to. This will detail, step by step, the procedure in dealing with the situation, starting with rooting out the cause of the breach. However, in most cases, the breach won’t be quite that disastrous. For lower-level incidents, it’s enough to ensure your staff understand how to recognise and report a breach, with clearly defined responsibilities among the team, supported by a formalised policy.
DO notify the affected data subjects if necessary
If you’ve determined that the individuals whose data has been compromised will be negatively impacted by the breach, it’s your duty to let them know what’s happened. If it poses a high risk, you’re legally required to do this, unless any of the exceptions set out in Article 34 of the GDPR apply.
Provide suggestions for how they can protect themselves, advise them to be vigilant, and tell them what action they can take to minimise any damage. This might be something like forcing a password reset or keeping an eye out for suspicious emails. You’ll need to detail the events of the breach, the potential consequences, and measures taken to deal with it. Additionally, you need to provide them with a point of contact, such as a Data Protection Officer (DPO), where they can obtain more information.
DON’T think you have to take it on alone
One important thing to remember is that you don’t have to take on this breach by yourself. Identifying the root cause, minimising the damage, and implementing remedial actions can all be done faster with the help of expert guidance.
If you need external support either during a data breach, or to implement an effective and structured incident response plan, then get in touch with us. From a full root cause analysis, to ad-hoc support with singular data breaches, DPAS will provide you with flexible support to ensure you are prepared to respond to any incidents.
Data breaches can come out of nowhere and catch you off guard. So let us help you to be a little more prepared for if the unthinkable ever happens.