There is a lot you need to do after you discover a data breach, so it’s a good idea to keep a checklist. This will help you keep track of your progress during a hectic few days and ensure that you’ve done everything necessary to comply with the EU GDPR (General Data Protection Regulation).
We recommend using a list such as this:
- Find out what types of data are affected
- Find out how many records are affected
- Work out how the breach happened. Who and/or what was responsible?
- Stop the breach from escalating
- Instigate business continuity plan
- Determine whether your supervisory authority needs to be notified
- Determine whether affected individuals need to be notified
- Establish ways for affected individuals to contact you
- Contact your supervisory authority (if necessary)
- Contact affected individuals (if necessary)
For advice on how you can complete each task, take a look at the guide below. We’ve split the checklist into five categories to demonstrate how each step works together.
Identify the extent of the breach
The first thing you need to do is determine the scale of the breach. That means finding out the types of data involved (names, email addresses, financial records, etc.) and the number of records that have been compromised.
Depending on how the incident happened and how you became aware of it, this process can be relatively straightforward. For example, a third party might contact you to say that they’ve found a database of your customers’ information on the dark web. In that case, you have all the information you need immediately.
Alternatively, you might find out that a crook has sent phishing emails to your staff. You should therefore ask your employees to let you know if they’ve fallen for this scam. It will then be a case of determining what information the crook had access to once they’d lured the employee.
If you are having trouble determining either the types of data or the number of records involved, we recommend erring on the side of caution. It’s always better to issue an update saying ‘it’s not as bad as we thought’ than vice versa.
You must find out how your data was exposed and isolate the areas affected as soon as possible. For example, if a malicious insider was leaking information, you should cut off their access to the organisation both physically and via your network. If an application vulnerability is being exploited, you should take the application offline.
The next step is to implement your business continuity plan. This ensures that your mission-critical functions continue to operate during the disruption.
Determine whether the breach needs to be reported
With the breach under control, you can take a moment to assess the damage and work out whether you need to notify your supervisory authority (which will be the case if the incident “pose[s] a risk to the rights and freedoms of natural living persons”) and affected individuals (if it poses a “high risk”).
Risk generally refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
It’s worth adding that the GDPR mandates that you keep a record of all personal data breaches, so you need to make a note of your findings regardless of whether the incident needs to be reported.
Notify your supervisory authority
You must notify your supervisory authority of a data breach within 72 hours of becoming aware of it. You might not have completed the other items on your checklist by this time, but you are expected to document your response so far, so it’s important to have at least started them.
You will also need a lot of the information you’ve gathered to complete your report. The notification must contain:
- Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
- Assessment of affected data: Ascertain the categories of personal data and the number of records concerned.
- Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
- Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or plan to take, to mitigate the damage?
- Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
Notify affected individuals
This step only applies if you are required (or wish) to contact affected individuals.
At the very least, you are expected to issue a statement to everybody affected to let them know that a breach has occurred. However, you will be more likely to maintain, or even improve, your reputation by taking extra steps to help victims. In most cases, it’s beneficial to set up a web page and helpline that individuals can use to find out more and have their questions answered. You should have a plan for this already, and simply be finalising it or putting it into practice at this stage.
Some organisations also offer complementary subscriptions to credit monitoring services. This seems like a nice gesture, but cyber security experts such as Brian Krebs believe that the services aren’t useful. You might therefore be better off using the money to improve your defence and response capabilities.
Are you ready for when disaster strikes?
You can find out how prepared you are for a data breach by taking our quiz. After answering our questions, we’ll score you on your readiness for a data breach. We’ll also provide a detailed summary of your answers, and offer advice to help you raise your score and improve your defences.