Some of the most disastrous consequences of data breaches occur not from the incident itself but as a result of organisations’ inability to respond quickly and effectively.
You can’t assume that a data breach is a negligible risk that you’ll deal with if it ever happens. That’s because your chances of being breached are much higher than you might think. In fact, the insurance firm Hiscox found that 61% of organisations were compromised in the past 12 months.
But a data breach doesn’t necessarily spell disaster. If you follow our 5-step guide to breach response, you’ll mitigate the damage and ensure your reputation remains intact.
1. Identify the extent of the breach
The first thing you need to do is determine the scale of the breach. That means finding out the types of data involved (names, email addresses, financial records, etc.) and the number of records that have been compromised.
Depending on how the incident happened and how you became aware of it, this process can be relatively straightforward. For example, a third party might contact you to say that they’ve found a database of your customers’ information on the dark web. In that case, you have all the information you need immediately.
Alternatively, you might find out that a crook has sent phishing emails to your staff. You should therefore ask your employees to let you know if they’ve fallen for this scam. It will then be a case of determining what information the crook had access to once they’d lured the employee.
If you are having trouble determining either the types of data or the number of records involved, we recommend erring on the side of caution. It’s always better to issue an update saying ‘it’s not as bad as we thought’ than vice versa.
2. Immediate response
You must find out how your data was exposed and isolate the areas affected as soon as possible. For example, if a malicious insider was leaking information, you should cut off their access to the organisation both physically and via your network.
If an application vulnerability is being exploited, you should take the application offline.
The next step is to implement your business continuity plan. This ensures that your mission-critical functions continue to operate during the disruption.
3. Determine whether the breach needs to be reported
With the breach under control, you can take a moment to assess the damage and work out whether you need to notify your supervisory authority and affected individuals.
Breaches need to be reported to supervisory authorities if they “pose a risk to the rights and freedoms of natural living persons” and to individuals if they pose a “high risk”.
Risk generally refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
It’s worth adding that the GDPR mandates that you keep a record of all personal data breaches, so you need to make a note of your findings regardless of whether the incident needs to be reported.
4. Notify your supervisory authority
You must notify your supervisory authority of a data breach within 72 hours of becoming aware of it. You might not have completed the other items on your checklist by this time, but you must include as much information as possible.
You will also need a lot of the information you’ve gathered to complete your report. The notification must contain:
- Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
- Assessment of affected data: Ascertain the categories of personal data and the number of records concerned.
- Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
- Report on staff training and awareness: If the breach was a result of human error, did the employee(s) involved receive data protection training in the past two years? Provide details of your staff awareness training programme.
- Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or plan to take, to mitigate the damage?
- Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
5. Notify affected individuals
This step only applies if you are required (or wish) to contact affected individuals.
At the very least, you are expected to issue a statement to everybody affected to let them know that a breach has occurred. However, you will be more likely to maintain, or even improve, your reputation by taking extra steps to help victims. In most cases, it’s beneficial to set up a web page and helpline that individuals can use to find out more and have their questions answered. You should have a plan for this already, and simply be finalising it or putting it into practice at this stage.
Discover how else you can secure your organisation
Those looking for a more in-depth understanding of what to do when a data breach occurs will benefit from our Cyber Incident Response Management Foundation Training Course.
You’ll receive expert advice on the steps you should take to manage and respond to a disruptive incident, whether it’s a data breach or cyber attack, and learn:
- The key definitions and legal requirements that underpin incident response;
- The structure, role and responsibilities of the incident response team;
- How to formulate and test an incident response plan and define the scope of a business impact analysis; and
- How to apply incident response techniques to common risk scenarios.
Register for this training course online and receive and a free copy of Managing Information Security Breaches.