Data breaches come with many consequences for your business, the most severe of which is loss of customer trust and damage to your reputation. Building your reputation takes years, but it can be destroyed in an instant by a data breach. However, there is a right way and a wrong way to handle a data breach…
With data protection heavily regulated, even more so since the introduction of GDPR Laws in May 2018, there’s greater pressure on your business to comply with legislation and protect the personal information of customers. So, what should your business do in the event of a data breach?
Here are 6 steps you should take to handle a data breach the right way and recover:
#1– Get confirmation of the breach
Before you push the panic button, get confirmation that a breach has occurred. It’s not uncommon for a hacker to send an anonymous email to an unsuspecting staff member claiming that your firewalls have been breached. This is often a ploy to trap companies into giving up data unwittingly.
Check with your in-house IT team or external service provider to determine if a breach has occurred. Diverting resources to deal with a non-existent breach can cause disruption to the day-to-day running of your business. It’s best to be sure so that you know what you are dealing with.
#2 – Contain the breach
If a genuine breach has occurred, contain it. Time is of the essence when trying to stop a breach, and how you contain it depends on the type of attack the business is facing, plus the systems affected. To stop a breach:
Isolate any system(s) you know the hacker has accessed to prevent the breach from compromising your entire network
Disconnect any breached accounts
If a specific department in your business was targeted, shut it down
Once the breach has been isolated and contained, you can then take steps to eliminate the threat and prevent further damage. For example, depending on the type of attack your business has experienced, reformat affected systems and restore them or blacklist the IP address from which the attack originated.
#3 – Check the damage
Once the threat has been extinguished, you will need to assess the damage done by the breach. Understanding how the attack happened enables you to put preventative measures in place to stop a repeat incident.
You will need to ensure that all affected systems are checked for malware, which can remain dormant and spark future attacks.
When assessing the damage, gather information on:
The type of attack
How the attack was administered (i.e. through user accounts)
The data that was targeted
Whether the data was encrypted and can be safely restored (i.e. check if the data was backed up)
#4 – Inform people affected
Assessing the data breach will reveal who has been affected. This is where you have to take ownership of the breach. According to nCipher Security, a staggering 61% of businesses worldwide said they would cover up a data breach if it meant they avoided a fine.
This is not advised. You are likely to be found out and would face severe sanctions.
The repercussions are likely to be less severe if you make every effort to ensure any customers, stakeholders, the authorities and anyone else that needs to know, are aware of the breach.
You can notify those affected by a breach by email, phone or any other method of communication you would normally use.
Reporting a data breach goes a long way toward maintaining your integrity and rebuilding your reputation long-term.
#5 – Conduct a security audit
Once the necessary initial actions have been taken, you should conduct a security audit to review your company’s current security measures and how they can be improved to prevent future breaches.
In fact, security audits should be a regular part of your operation. This will help you to find gaps in your security systems and improve system infrastructure. You should have a strategy in place to check network and server systems, IP blocks, open ports, rDNS networks and security certificates to ensure that your business is protected against malicious attacks.
#6 – Improve preventative measures
A regular, thorough security audit will expose flaws in your systems, which will help you improve preventative measures to stop attacks. Data breaches are a regular threat to your business and it’s likely that you will be targeted more than once if an attacker is successful the first time round.
It’s important that you’re ready. Having a strategy is the first step towards your recovery.
Create a data breach response plan
Prevention is better than cure, and creating a response plan is the final piece of the jigsaw in effectively handling a data breach. Having a company-wide strategy ensures that your staff can better identify the signs of a data breach and raise the alarm quickly.
Most companies don’t become aware of a breach until it’s too late. Having a data breach response plan in place can help you minimise the damage done, reduce fines, decrease the negative press and enable your business to recover more quickly.
Protecting your reputation
How you respond to a data breach has a huge bearing on your company’s ability to recover. Customers, stakeholders and more share their sensitive information with you, with an expectation that you have the proper security measures in place.
A PwC study carried out in 2017 revealed that 92% of customers expect companies to be proactive about data protection. As your reputation is most likely your best asset, you must be prepared to handle data breach incidents in the right way.
For help with preventing data breaches and complying with GDPR rules, get in touch with DPA/OK today.
If you process employee or customer or indeed anyone’s personal data then you must take steps (known as organisational and technical measures) to keep it safe i.e. confidential, free from loss/ damage and available for use when needed.
However, despite your efforts there may well come a time when you suffer a personal data breach. It’s important to recognise when a breach has occurred and what to do.
GDPR defines a breach as “a breach of [your] security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Some examples are:
Sending an email containing someone’s personal information to the wrong person.
Leaving someone’s personal information on a photocopier where other people can see it.
Leaving a voice mail containing personal information about someone with the wrong person
Losing an unencrypted computer
Losing access to personal data following a ransomware attack
A file of papers going up in flames or being destroyed by flood.
Selling on a computer without properly erasing what personal data is on the hard drive.
Hackers gaining access to the HR part of your computer network.
All breaches should be documented but not all need reporting to the Information Commissioner’s Office (‘ICO’) or to the individual whose data it is. You need to look at the level of risk of harm to the individual as a result of the breach in security. If you do need to report it is without delay and no later than 72 hours from discovery of the breach.
If you fail to report/ notify the individual when you ought to then you can be fined by the ICO.
Even if you report you may get fined although more likely told to improve your security practices and how. If you keep having breaches the ICO may decide to pay you a visit to conduct a security audit.
Breaches and ICO audits are a pain (although with audits some good can come of them).
If you need help to avoid a breach or you have had one contact me.
Data protection within a business is often seen as somebody’s secondary role, usually the HR department, and a role that hasn’t been taken seriously.
Indeed, historically, many companies have seen it more as a hindrance to a company’s day-to-day running, and compliance has often been lax.
However, it’s a serious issue, and the bringing into law of GDPR brought this home to many as suddenly there was real legal clout behind the regulations – and rightly so.
As more and more people’s data gets harvested and stored by companies small and large, it becomes ever more critical that it’s handled securely and sensitively.
Spreadsheets, files and documents are easily shared within an office and indeed the rest of the company, but does anyone know exactly what’s in that data and who has access?
The ability to store vast amounts of information on extremely cheap devices such as USB memory sticks makes the problem even more significant. These devices are easily left lying around and can, therefore, be picked up and carried away.
I’m sure I’m not the only one to receive a report that an unencrypted USB containing personal information was put in a backpack which was then lost.
Data protection and the hype
Of course, a few high profile data leaks were plastered all over the news which brought the whole data protection situation into focus.
With people’s sensitive data being left on trains, or accessible via websites for all to see, people suddenly started to notice. The downside to this was that everyone had an opinion on what was and was not personal data, and what companies should be doing about it.
Companies of all sizes were being told they needed to register with the Information Commissioner’s Office (ICO) and employ a Data Protection Officer or they could end up being fined – or worse.
However, The ICO has made it clear which companies need to go to the expense of a Data Protection Officer (or “DPO”), and luckily, many small businesses don’t need to employ them.
What companies need to employ a Data Protection Officer?
Now, even though the definitions seem pretty straightforward, they are of course, open to interpretation and might need a bit of clarification.
First of all, then, let’s look at what the ICO says (also available on our DPO page):
The ICO states that you must appoint a DPO if:
you are a public authority, or,
your core activities consist of processing requiring regular and systematic monitoring [such as CCTV or profiling] of people on a large scale, or,
your core activities consist of processing on a large scale of special category data or criminal offence data.
Special category data is that about people’s race, ethnicity, political opinions, health, sexual orientation etc.
Criminal offence data is that about whether someone has committed a crime right through to the outcome of any prosecution.
The problem here is the language.
What does “large scale” mean?
The ICO doesn’t give any concrete detail on this (for good reason), so it’s up to the organisation to consider its use of data and whether it would consider it to be large scale.
When deciding if a DPO is needed the type of data, the amount of data being used and what is being done with it should be considered.
For example, if you have an eBay store selling second-hand goods, it’s likely the data you collect isn’t going to require you to appoint a DPO.
When someone buys from you, you’ll need their name, email and address. You certainly don’t need their gender, ethnicity or date of birth.
And when the transaction is complete, you send the invoice, and you’re done with them.
This sort of data can’t be classed as special category, and there’s probably not much of it, either.
However, an online store such as Amazon is a different matter.
Companies like this collect a lot of data and actively use it in their marketing. They use profiling software to analyse their customers’ behaviour – hence why you get emails out of the blue when you realise you have nearly used all of that face cream that you bought from them .
This would satisfy the “profiling” aspect of the rules.
Types of data
Of course, data isn’t just digital bits and bytes.
As the regulations point out, CCTV data can also contain sensitive information, for obvious reasons.
And, of course, printed documentation is often ignored. If you have customer information, profiles on them and financial data printed out, this also needs to be controlled, and you’ll probably need a DPO.
Public Authority
We’ve left the easiest one ’till last because you should know whether you’re a public authority or not! If you don’t know the Data Protection Act will tell you.
However, if you carry out tasks in the public interest, and are paid by the taxpayer, you’re probably a public authority.
In Summary
If you’re a public authority, you need a DPO
If you handle large amounts of special category or criminal offence data , then you may need one
If you are involved in large scale monitoring of people you may need one.
If you’re an online store merely fulfilling orders, you probably don’t need one.
If you’re at all in doubt about whether you should hire a DPO, you should, of course, seek advice, and you can contact us or call us on: 07397 943394.
When GDPR came into force in 2018, it caused a flurry of activity within companies all around the world, all trying to work out what they could and couldn’t do with data they’d been collecting for years.
It seemed it was website owners that were most concerned, and people have got used to having to click buttons to say that they’re happy for sites to collect their data.
However, for some companies, especially outside the EU, it’s all a bit too much for them to be bothered with and so if they detect a user from Europe, they’ll simply stop them viewing the site.
That’s OK if you’re a small news station in Texas, but what if you have to deal with people in Europe? And what if you deal with people in the UK and still want to after Brexit?
The world is flat
The Internet has succeeded in democratising information and making it available to absolutely anybody who has a connection. So if you own a website that offers goods or services to people, you might need to consider where those users come from.
Also, if you’re in the business of dealing with people in the EU or Britain, then you’re going to have to abide by the rules of GDPR.
According to the ICO – the body in charge of overseeing data protection and enforcing GDPR in the UK:
“The UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.”
For those readers not up to date with the political goings-on in the UK, the “transition period” is where the UK is not part of the European Union anymore, but still abides by its rules until such time as a deal is worked out. If ever a deal does get worked out.
When the UK does eventually leave, most of the laws will simply be transferred across to UK law anyway.
However, in essence, even though we’ll have the same basic rules as the EU, we’ll be a “third country”, and therefore it’s up to the EU to decide whether we have an “adequate level of data protection.”
The UK government is currently seeking an adequacy decision from the EU.
If it comes to fruition, then data will be allowed to pass freely between the EU and the UK.
So what happens next?
Whatever the EU decides with regards the UK’s adequacy, if you’re a business that sells goods and services to people in the UK, or you monitor the behaviour of people in the UK, and you don’t have an office in the UK, you’ll need to appoint a representative.
This could be an individual or an agency working on your behalf, but you will need to give them written consent to work for you in matters relating to data protection.
Of course, if you’re dealing with people in the UK, you’ll likely be dealing with Europe, too, so it’s worth seeking out a representative that can help with both sides.
A good representative can smooth over the bumps
Given the new rules, Brexit and the general concern about people’s data and how it can be accessed, it might seem an impossible task to have to deal with the UK given the rules, but it need not be.
A good GDPR representative can make everything go smoothly, helping you to reach into markets that can boost your sales and profitability.
So, if you think you might want to offer your goods or services into the UK and want to do it easily, and with the minimum of fuss, contact us today.
