Data breaches come with many consequences for your business, the most severe of which is loss of customer trust and damage to your reputation. Building your reputation takes years, but it can be destroyed in an instant by a data breach. However, there is a right way and a wrong way to handle a data breach…
With data protection heavily regulated, even more so since the introduction of GDPR Laws in May 2018, there’s greater pressure on your business to comply with legislation and protect the personal information of customers. So, what should your business do in the event of a data breach?
Here are 6 steps you should take to handle a data breach the right way and recover:
#1– Get confirmation of the breach
Before you push the panic button, get confirmation that a breach has occurred. It’s not uncommon for a hacker to send an anonymous email to an unsuspecting staff member claiming that your firewalls have been breached. This is often a ploy to trap companies into giving up data unwittingly.
Check with your in-house IT team or external service provider to determine if a breach has occurred. Diverting resources to deal with a non-existent breach can cause disruption to the day-to-day running of your business. It’s best to be sure so that you know what you are dealing with.
#2 – Contain the breach
If a genuine breach has occurred, contain it. Time is of the essence when trying to stop a breach, and how you contain it depends on the type of attack the business is facing, plus the systems affected. To stop a breach:
Isolate any system(s) you know the hacker has accessed to prevent the breach from compromising your entire network
Disconnect any breached accounts
If a specific department in your business was targeted, shut it down
Once the breach has been isolated and contained, you can then take steps to eliminate the threat and prevent further damage. For example, depending on the type of attack your business has experienced, reformat affected systems and restore them or blacklist the IP address from which the attack originated.
#3 – Check the damage
Once the threat has been extinguished, you will need to assess the damage done by the breach. Understanding how the attack happened enables you to put preventative measures in place to stop a repeat incident.
You will need to ensure that all affected systems are checked for malware, which can remain dormant and spark future attacks.
When assessing the damage, gather information on:
The type of attack
How the attack was administered (i.e. through user accounts)
The data that was targeted
Whether the data was encrypted and can be safely restored (i.e. check if the data was backed up)
#4 – Inform people affected
Assessing the data breach will reveal who has been affected. This is where you have to take ownership of the breach. According to nCipher Security, a staggering 61% of businesses worldwide said they would cover up a data breach if it meant they avoided a fine.
This is not advised. You are likely to be found out and would face severe sanctions.
The repercussions are likely to be less severe if you make every effort to ensure any customers, stakeholders, the authorities and anyone else that needs to know, are aware of the breach.
You can notify those affected by a breach by email, phone or any other method of communication you would normally use.
Reporting a data breach goes a long way toward maintaining your integrity and rebuilding your reputation long-term.
#5 – Conduct a security audit
Once the necessary initial actions have been taken, you should conduct a security audit to review your company’s current security measures and how they can be improved to prevent future breaches.
In fact, security audits should be a regular part of your operation. This will help you to find gaps in your security systems and improve system infrastructure. You should have a strategy in place to check network and server systems, IP blocks, open ports, rDNS networks and security certificates to ensure that your business is protected against malicious attacks.
#6 – Improve preventative measures
A regular, thorough security audit will expose flaws in your systems, which will help you improve preventative measures to stop attacks. Data breaches are a regular threat to your business and it’s likely that you will be targeted more than once if an attacker is successful the first time round.
It’s important that you’re ready. Having a strategy is the first step towards your recovery.
Create a data breach response plan
Prevention is better than cure, and creating a response plan is the final piece of the jigsaw in effectively handling a data breach. Having a company-wide strategy ensures that your staff can better identify the signs of a data breach and raise the alarm quickly.
Most companies don’t become aware of a breach until it’s too late. Having a data breach response plan in place can help you minimise the damage done, reduce fines, decrease the negative press and enable your business to recover more quickly.
Protecting your reputation
How you respond to a data breach has a huge bearing on your company’s ability to recover. Customers, stakeholders and more share their sensitive information with you, with an expectation that you have the proper security measures in place.
A PwC study carried out in 2017 revealed that 92% of customers expect companies to be proactive about data protection. As your reputation is most likely your best asset, you must be prepared to handle data breach incidents in the right way.
For help with preventing data breaches and complying with GDPR rules, get in touch with DPA/OK today.
If you process employee or customer or indeed anyone’s personal data then you must take steps (known as organisational and technical measures) to keep it safe i.e. confidential, free from loss/ damage and available for use when needed.
However, despite your efforts there may well come a time when you suffer a personal data breach. It’s important to recognise when a breach has occurred and what to do.
GDPR defines a breach as “a breach of [your] security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Some examples are:
Sending an email containing someone’s personal information to the wrong person.
Leaving someone’s personal information on a photocopier where other people can see it.
Leaving a voice mail containing personal information about someone with the wrong person
Losing an unencrypted computer
Losing access to personal data following a ransomware attack
A file of papers going up in flames or being destroyed by flood.
Selling on a computer without properly erasing what personal data is on the hard drive.
Hackers gaining access to the HR part of your computer network.
All breaches should be documented but not all need reporting to the Information Commissioner’s Office (‘ICO’) or to the individual whose data it is. You need to look at the level of risk of harm to the individual as a result of the breach in security. If you do need to report it is without delay and no later than 72 hours from discovery of the breach.
If you fail to report/ notify the individual when you ought to then you can be fined by the ICO.
Even if you report you may get fined although more likely told to improve your security practices and how. If you keep having breaches the ICO may decide to pay you a visit to conduct a security audit.
Breaches and ICO audits are a pain (although with audits some good can come of them).
If you need help to avoid a breach or you have had one contact me.
Data protection within a business is often seen as somebody’s secondary role, usually the HR department, and a role that hasn’t been taken seriously.
Indeed, historically, many companies have seen it more as a hindrance to a company’s day-to-day running, and compliance has often been lax.
However, it’s a serious issue, and the bringing into law of GDPR brought this home to many as suddenly there was real legal clout behind the regulations – and rightly so.
As more and more people’s data gets harvested and stored by companies small and large, it becomes ever more critical that it’s handled securely and sensitively.
Spreadsheets, files and documents are easily shared within an office and indeed the rest of the company, but does anyone know exactly what’s in that data and who has access?
The ability to store vast amounts of information on extremely cheap devices such as USB memory sticks makes the problem even more significant. These devices are easily left lying around and can, therefore, be picked up and carried away.
I’m sure I’m not the only one to receive a report that an unencrypted USB containing personal information was put in a backpack which was then lost.
Data protection and the hype
Of course, a few high profile data leaks were plastered all over the news which brought the whole data protection situation into focus.
With people’s sensitive data being left on trains, or accessible via websites for all to see, people suddenly started to notice. The downside to this was that everyone had an opinion on what was and was not personal data, and what companies should be doing about it.
Companies of all sizes were being told they needed to register with the Information Commissioner’s Office (ICO) and employ a Data Protection Officer or they could end up being fined – or worse.
However, The ICO has made it clear which companies need to go to the expense of a Data Protection Officer (or “DPO”), and luckily, many small businesses don’t need to employ them.
What companies need to employ a Data Protection Officer?
Now, even though the definitions seem pretty straightforward, they are of course, open to interpretation and might need a bit of clarification.
First of all, then, let’s look at what the ICO says (also available on our DPO page):
The ICO states that you must appoint a DPO if:
you are a public authority, or,
your core activities consist of processing requiring regular and systematic monitoring [such as CCTV or profiling] of people on a large scale, or,
your core activities consist of processing on a large scale of special category data or criminal offence data.
Special category data is that about people’s race, ethnicity, political opinions, health, sexual orientation etc.
Criminal offence data is that about whether someone has committed a crime right through to the outcome of any prosecution.
The problem here is the language.
What does “large scale” mean?
The ICO doesn’t give any concrete detail on this (for good reason), so it’s up to the organisation to consider its use of data and whether it would consider it to be large scale.
When deciding if a DPO is needed the type of data, the amount of data being used and what is being done with it should be considered.
For example, if you have an eBay store selling second-hand goods, it’s likely the data you collect isn’t going to require you to appoint a DPO.
When someone buys from you, you’ll need their name, email and address. You certainly don’t need their gender, ethnicity or date of birth.
And when the transaction is complete, you send the invoice, and you’re done with them.
This sort of data can’t be classed as special category, and there’s probably not much of it, either.
However, an online store such as Amazon is a different matter.
Companies like this collect a lot of data and actively use it in their marketing. They use profiling software to analyse their customers’ behaviour – hence why you get emails out of the blue when you realise you have nearly used all of that face cream that you bought from them .
This would satisfy the “profiling” aspect of the rules.
Types of data
Of course, data isn’t just digital bits and bytes.
As the regulations point out, CCTV data can also contain sensitive information, for obvious reasons.
And, of course, printed documentation is often ignored. If you have customer information, profiles on them and financial data printed out, this also needs to be controlled, and you’ll probably need a DPO.
Public Authority
We’ve left the easiest one ’till last because you should know whether you’re a public authority or not! If you don’t know the Data Protection Act will tell you.
However, if you carry out tasks in the public interest, and are paid by the taxpayer, you’re probably a public authority.
In Summary
If you’re a public authority, you need a DPO
If you handle large amounts of special category or criminal offence data , then you may need one
If you are involved in large scale monitoring of people you may need one.
If you’re an online store merely fulfilling orders, you probably don’t need one.
If you’re at all in doubt about whether you should hire a DPO, you should, of course, seek advice, and you can contact us or call us on: 07397 943394.
Whenever an organisation (this could be a business, charity, school etc.) shares personal data externally it is deemed to be ‘processing’ it. This means (let’s stick to ordinary personal data for the purpose of this blog] that there has to be a legal ground to do so.
How do we do that?
There are 6 ways that personal data (information that relates to an identified or identifiable living individual) can be potentially processed.
They are:
The individual has given their consent. The UK GDPR has a particular definition for what constitutes consent – it has to be a freely given- a take it or leave it choice. A typical example might be marketing. Someone knows what they will be sent by an organisation and they tick a box to say they agree….
Sharing is necessary for the performance of a contract to which an individual is party to or in order to take steps at their request prior to entering into a contract. Think buying something online. The retailer may pass your name and address on to a delivery company so that it can be transported to you.
Sharing is a legal requirement– such as the duty of organisations working in the regulated sector to make ‘Suspicious [money laundering or terrorist financing] Activity Reports’.
There is a need to share to protect an individual’s vital interests -or those of another. This is life and death situations. Think of someone who says they are going to jump from a bridge. A concerned organisation may pass on that information to the Police.
Sharing is necessary as part of a public task or as part of an organisation’s official authority. Many public sector organisations routinely share information, for instance, under the National Fraud Initiative.
Sharing is necessary to meet the legitimate interests of an organisation or of a third party. An example would be where the Police, engaged in a criminal investigation, contact an organisation to ask for information about an individual who has relevance to the inquiry. This ground requires the sharing party to consider the impact on the privacy of the individual if the information were to be shared. Documenting this exercise by completing a Legitimate Interests Assessments form is good practice.
Organisations that process personal data should, by now, have a Record of Processing Activities which sets out what personal data they share, of who, to who and what the legal base(s) for doing so is. This is what the UK GDPR refers to as ‘accountability’.
Is that all there is to it?
As well as having a legal ground to share information an organisation should do so fairly and transparently. An individual shouldn’t be surprised that their information has been shared with a third party [although there are circumstances when personal data can be shared without the knowledge of an individual] indeed any recipients of an individual’s personal data should be listed on the Privacy Notice given to the individual.
There are other principles that relate to the sharing (‘processing’) of personal data. The key ones being that you should only share the minimum amount of personal data you need to share in order to achieve the purpose of sharing and that what is shared is accurate and up to date. Also, the organisation sharing has to take appropriate measures to keep the personal data confidential when sharing and ensure it is not lost or damaged whilst doing so.
The Code
The Information Commissioner’s Office has recently [December 2020] issued a Code of Practice in relation to data sharing. That Office will look at what the code says when deciding if the person sharing has complied with their obligations under the law. It focuses on Independent Controller (those who individually determine what is done with data and how it is processed) to Independent Controller sharing and Joint (where two or more determine what is to be done and how) Controller situations.
Some sharing is routine. In these situations, it is wise (and in Joint Controller situations a legal requirement) to have a Data Sharing Agreement. This is, at it sounds, an agreement setting out the purposes of the sharing and the respective obligations of the parties in respect of the personal data. It also sets out who will be responsible for dealing with any requests by individuals seeking to exercise their data protection rights such as to secure access to their data or to have it erased. The code provides more information as to what should be in a Data Sharing Agreement.
In one – off situations it is wise to document the process by requiring organisations who want the personal data to set out what they want and why they want it. The other party can then consider the request and, whatever the decision, record it and the reasoning behind it. This will be useful if the ICO ever investigate a complaint made by an individual about data sharing.
The ICO recommends that if you plan to share information that you undertake a Data Protection Impact Assessment [‘DPIA’]. This should be done before any final decision to share. The law sets out when one is legally required – when there is a high risk of harm to an individual(s) from the proposed processing (sharing).
The ICO recommend that a DPIA be carried out even if not legally required. A DPIA is a way of identifying what might go wrong personal privacy wise when data is shared, the likelihood of occurrence, the harm that might result and, if it did, how severe it would be. Knowing of the risks then the parties involved in the sharing can work to put in measures to do away with risk or to reduce it to an acceptable level.
The code provides a handy checklist to go through when considering sharing personal data.
Conclusion
Think carefully before you share personal data. Get it wrong and you could face ICO Investigation, claims by harmed individuals for compensation and damage to reputation.
As of 1 January, this year UK law that is concerned with the security of personal data (and what happens when things go wrong) is contained within the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. The law is concerned with personal data -any information that relates to an identified or identifiable living individual.
If a Data Controller [someone who determines what is done with personal data and how it is dealt with] or Data Processor [someone who processes personal data on behalf of a Controller] fails to comply with the law (and there are lots of compliance obligations) then the Information Commissioner’s Office (‘ICO’) may take enforcement action against them. In the most serious cases this can result in a fine.
Affected individuals -known as ‘data subjects’ can also seek compensation for any harm that they suffer. There will also likely be reputational damage if a failure to comply with the law becomes public knowledge as well as a loss of organisational time dealing with issues and putting matters right.
However, information is a wider term than mere personal data. It includes personal data but will also include things such as intellectual property, corporate financial information, business plans or research.
Information security seeks to ensure that all information (that actually needs securing) whether that be in electronic or in hard copy form is secured.
On the other hand, data protection is about how to handle personal data in accordance with the data protection laws i.e., how to lawfully process personal data, how to secure valid consent, the data protection rights of individuals, the need for contracts, when to undertake a Data Protection Impact Assessment, how to transfer personal data overseas etc.
The disciplines do overlap as the UK GDPR places an obligation on a Data Controller (anyone who employs staff or has individuals as customers or schools or membership organisations and so on) to process personal data in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. A Data Controller must protect using appropriate technical or organisational measures.
The UKGDPR does not tell a Data Controller what technical (or organisational) measures are appropriate. This is because security is not a ‘one size fits all exercise’. Every organisation that processes personal data is different and it is for the organisation to assess risk and to decide what is appropriate.
What is appropriate requires an assessment of what types of personal data is processed by the organisation and its sensitivity/ criticality to the organisation. Regard should be had to how the personal data is processed and what could ‘go wrong’. Any vulnerabilities in existence and threats to the personal data should be identified as well as the likelihood of any threat materialising and, if it did, the impact upon the individuals concerned. Cost of implementation also plays a part.
Weighing all of the above up then what is appropriate to protect the personal data (and restore availability and access to it in the event of an incident) can be determined.
For technical measures, a cyber security specialist can assist. Organisational measures include staff training and policies, procedures, and guidance as to what to do/ not do.
A failure to have appropriate information security impacts upon data protection as the law is concerned with the privacy of individuals. If there is unauthorised access to or disclosure of personal data or it is lost or damaged in some way then this impacts upon privacy and may cause harm to individuals.
The following specific UK GDPR obligations also have a bearing on information (personal data) security:
1) only collecting (and thus securing) what personal data is needed, collecting the right data, ensuring it is not kept for longer than needed and of course maintaining Confidentiality, Integrity and Availability;
3) the need for Privacy by Design i.e., considering security and how it ensures privacy at the design stage- before any processing gets underway;
4) the need to undertake Data Protection Impact Assessments in certain circumstances – these can be used to identify risks to personal data and the identification of appropriate control measures;
5) the need for documented agreements when two or more controllers work together -to focus the mind of the parties on their obligations and security;
6) the need to undertake security due diligence on data processors and the right to inspect them and the need for contracts.
8) when things go wrong – assessing risk of harm to individuals, potentially notifying the ICO, communicating with affected individuals and dealing with any investigation by the ICO.
Some organisations may not know or be unclear as to how to deal with people’s personal data during the pandemic. This article aims to clarify matters.
What the law says
The first point to appreciate is that UK law only applies to personal data. That is any information that relates [is ‘about’] to an identified person or to a person who is identifiable. The law gives a long definition, but someone is identifiable if they can be identified directly or indirectly, through an identifier such as, in particular, their name, an identification number [national insurance/ NHS number?], data about where they are located [many of us have smart phones that track our whereabouts] or through an online identifier such as an IP address.
The next point to appreciate is that the law applies to the ‘processing’ of personal data. Again, the law provides a long definition, but you are likely to be processing personal data if you collect it, consider it, alter it, store it, share it or erase/ destroy it.
The law places obligations on ‘Data Controllers’. These are individuals/ organisations who decide what to do with the personal data they collect, come into possession of or generate and how to process it. An organisation will be a Controller if it employs staff as it will collect employee personal data for particular purposes and generate more of it during the employment relationship.
There is a higher risk category of personal data that is relevant to Coronavirus- ‘data concerning health. This is personal data related to the physical or mental health of a person. This could be the employee or a member of their family. It also includes the provision of health care services, which reveal information about health status. Controllers need to take extra care of this kind of (for instance the fact that someone has symptoms of the virus, has it or is or has been receiving treatment) personal data.
When a Controller processes personal data they have to do so in accordance with six ‘principles’. The aim of these principles is to avoid harm to the person whose data is being processed. They are (simplified for the purposes of this article and with an explanation where necessary in bold) that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner.
This means that when you carry out any processing activity such as collecting or sharing personal data then you must do so in accordance with the law particularly the UK GDPR; in a way that the person might reasonably expect and by being ‘up front’ about your use of the data. The law sets out the 6 ways that ‘ordinary’ personal data can be processed and the (additional) ways that special health data can be processed.
(b) collected for specified, explicit and legitimate purposes
This means being very clear with a person as to what you are doing with their data and using it in a proper manner.
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
This means collecting the right information, enough of it but no more than you need
(d) accurate and, where necessary, kept up to date
Speaks for itself- data that is not accurate or is out of date has less value or potentially none
(e) kept for no longer than is necessary
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures
Requires a Controller to assess the likelihood of harm arising from what they are doing with the data, how severe that harm might be to the person whose data it is and then to put in place measures to remove risk or reduce it to an acceptable level.
Finally, Controllers are required to be able to prove that they are processing in line with the principles. This is what the law refers to as being ‘accountable’
What to do
Employers who process employee personal data in connection with Coronavirus should:
Ensure that their employee privacy notice is clear as to the purposes that the employer wishes to process the employee’s personal data. It should also set out such things (and more) as how they lawfully intend to process the data, who they might share information with and how long they intend to keep the data.
As a general rule ensure that they only use the data for the purpose(s) they said they would use it for
Ensure that they collect enough of the right information from employees and no more than is needed to achieve the employer’s purpose(s)
Ensure that any data collected is accurate and up to date. Employer’s may need to ask employees to periodically check the information held about them.
Think about why they are collecting the employee’s information and erase/ destroy it when it is no longer needed and,
Think about what could go wrong (that might result in harm to an employee) when they process personal data, the chances of that harm arising and how bad it might be. Then put in measures to do away with harm or to reduce it to an acceptable level.
Accountability
One of the ways that an employer can prove that they process personal data in accordance with the principles is by:
asking themselves if they actually need to process personal data and, if so, how much they need as a minimum in order to achieve their purpose(s)
creating a ‘Record of [their] Processing Activities’. This is a legal requirement in many cases and is a document that sets out whose data is being processed, why, what types of data are being processed, who the data is to be shared with, how long it is to be kept for and how data is kept safe and secure. An employer can also record how they lawfully process the data.
implementing policies and procedures governing how personal data is to be handled and protected
drafting fit for purpose privacy notices
conducting a Data Protection Impact Assessment if there is a high risk of harm to employees from the processing to be undertaken. Such assessments should be carried out before any processing occurs and can assist with the identification of measures [like a health and safety risk assessment] to do away with or reduce risk.
Knowing how to respond should an employee seek to exercise one of their data protection rights such as the right of access. Generally, an employer only has a month to deal with the request and cannot levy a charge.
