Every business has a legal responsibility to keep both the data it holds about individuals as well as confidential business information secure. But despite your best efforts, things can go wrong. So what should you do if you have a data breach?
Whether the data has been leaked a result of a malicious attack, or more likely an unintentional release of secure information by one of your employees, you need a plan of action. Your business must have a response plan to contain the situation and enforce damage limitation, as well as a robust recovery plan.
A recent study by Ponemon is the latest to find that the most likely threat to data security is not an outsider, but rather an incompetent, negligent or malicious member of staff. Password theft is the greatest source of such breaches. But the range of other threats is huge: taking sensitive data out on USB sticks, phishing, viruses and malware, incorrect server configurations, etc.
As far as the type of data compromised, the Ponemon report found that:
- 39% involved confidential business information
- 27% involved personal information about customers
- 14% involved intellectual property including software source code
- 10% involved personal information about employees
Data Breach Response Check list
This checklist highlights some of the things to consider in the event of a data security breach. It is not intended as legal advice, more of a quick executive guide on what to do in the event of an issue arising.
- Assign one individual to take the lead on handling the breach. This will need to be escalated to board level, and the nominated individual will need the authority and resources to manage the situation.
- Keep records to document the breach. As an example, the Information Commissioner has created a spreadsheet to log personal data security breaches (XLS).
- Stop additional data loss where possible. Depending on the nature of the breach, this may include changing passwords on cloud-based computing platforms and internal networks, finding a lost piece of equipment, or changing the keys to your office doors.
- Assess the level of the risk to the individuals involved. Some data security breaches may simply be inconvenient, like losing a laptop. Other losses could lead to more serious risks like identity theft or fraud. The real question is, how serious are the risks to the individuals involved, and how likely is any threat likely to be.
- Also assess the risk to your own business. For example, a loss of confidence in your business or your reputation, loss of intellectual property or commercially sensitive data.
- Determine who you need to notify of the breach. This will most certainly include the appropriate regulatory body (including the Information Commissioner.)
- The breach may be picked up by the press, or publicised on social media. Identify who will handle journalists, social channels, and your customers and communicate the process to your staff.
- If you decide it is necessary to inform individuals of the breach, give them a description of the breach, when it happened and the data involved. Provide details of how you have responded. Provide clear and specific advice on what they need to do to protect themselves, as well as what you are willing to do to help. Include information on where you can be contacted for further information or to answer questions.
- You may also need to consider notifying third parties including the police, banks or credit card companies and professional bodies.
- Once you have determined the cause of the breach, put into place a prevention plan to ensure it doesn’t happen again. This may include raising staff security awareness, ensuring proper data access controls are in place, and verifying procedures like data backups are stored securely.
- Finally, evaluate how well you responded to the breach and how well prepared you are to prevent further risks.
Susan Hallam is the founder and CDEO of Nottingham-based digital marketing agency Hallam Internet. She has worked with some of the world’s leading brands, including Experian, Ford, and the Arts Council, as well as a broad spectrum of small to medium sized businesses. Susan has worked in the UK information industry since 1985 and is also a Freeman of the City of London and a trustee of Nottingham Castle.