Every business has a legal responsibility to keep secure the data it holds about individuals, as well as a commercial imperative to keep confidential business information secure. Despite your best efforts, things can go wrong, so what should you do when there is a data breach?
Whether the data has been leaked a result of a malicious attack, or more likely an unintentional release of secure information by one of your employees, you need a plan of action. Your business must have a response plan to cope with the matter in order to contain the situation, enforce damage limitation, and a follow a robust recovery plan.
The most common cause of data breaches are inside the business, and likely to be a careless member of staff. Password theft, whether just weak passwords or proactively stolen, is the greatest source of data breaches. The range of threats is huge: taking sensitive data out on USB sticks, phishing, disgruntled employees, viruses and malware, incorrect server configurations; and the list of threats is growing rapidly.
According to a study by Ponemon, the most likely threat to data security is not an outsider, but rather an incompetent, negligent or malicious insider. And the report summarises the greatest threats as:
- 39% involved confidential business information
- 27% involved personal information about customers
- 14% involved intellectual property including software source code
- 10% involved personal information about employees
Data Breach Response Check list
This checklist provides you with some of the things your business needs to consider in the event of a data security breach. It is not intended as legal advice, not is it a comprehensive guide to your information security. It is a quick executive guide to an appropriate course of action in the event of a breach.
- Assign one individual to take the lead on handling the breach. This will need to be escalated to board level, and the nominated individual will need the authority and resources to manage the situation.
- Keep records to document the breach. As an example, the Information Commissioner has created a spreadsheet to log personal data security breaches (XLS).
- Stop additional data loss where possible. Depending on the nature of the breach this may include changing passwords on cloud based computing platforms and internal networks, or finding a lost piece of equipment, or changing the keys to your office doors.
- Assess the level of the risk to the individuals involved. Some data security breaches may simply cause your business inconvenience, for example losing a laptop. Other losses could lead to more serious risks like identity theft or fraud. The real question is, how serious are the risks to the individuals involved, and how likely is any threat likely to be.
- Also assess the risk to your own business, for example a loss of confidence in your business or your reputation, loss of intellectual property or commercially sensitive data.
- Determine who you need to notify of the breach, what you are going to communicate, and the manner in which you are going to communicate the message. This will most certainly include the appropriate regulatory body (including the Information Commissioner.)
- The breach may be picked up by the press, or publicised on social media. Identify who will handle journalists, social channels, and your customers, and communicate the process to your staff.
- If you decide it is necessary to inform individuals of the breach, then give them a description of the breach, when it happened, and the data involved. Provide details of what you have done already to respond to the breach. And provide clear and specific advice on what they need to do to protect themselves, and also what you are willing to do to help. Include information where you can be contacted for further information or to answer questions.
- You may also need to consider notifying third parties including the police, banks or credit card companies, professional bodies, or trade unions.
- Once you have determined the cause of the breach, then you need to put into place a prevention plan to ensure it doesn’t happen again. This may include raising staff security awareness, ensuring proper data access controls are in place, and verifying procedures like data backups are stored securely.
- Finally, evaluate how well you responded to the breach, and how well prepared you are to prevent further risks.