Personal data breaches (also referenced as “security incidents” or “security breaches”) can come in many different shapes and forms. However, if uncontained and unmitigated, they could all potentially wreak havoc.
The UK General Data Protection Regulation (“UK GDPR”) has introduced incisive consequences for the failure of complying with the Regulation, including the failure of adequately addressing security incidents. Besides potential hefty fines, the reputational damage following security incidents can have lasting adverse effects.
For this reason, it is essential to be prepared in case a security incident occurs so that you can detect, contain and mitigate them efficiently. In this article, you will find a step-by-step guide to navigating security incidents and how to respond to a data security incident.
Understanding the Importance of Data Breach Response
What is a data breach and what are the consequences?
Under the UK GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (4(12) UK GDPR). Breaches can also be referred to as a ‘cyber security incident’. However, a cyber incident is not specific to the personal data of the affected parties, but rather an event that compromises an organisation’s IT systems. Therefore an incident can be both a personal data breach and a cyber security incident, but equally, one or the other.
Personal data breaches can have a wide range of considerable negative effects on individuals, including emotional distress, physical and material damage. Recital 85 of the UK GDPR lists notable examples of such damage, loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or other social disadvantage.
The organisation suffering a security incident may also face unfavourable consequences. For example, security incidents are often associated with financial losses which can materialise in the form of fines, litigation costs, operational disruption and costs of recovery. Security incidents can also lead to legal complications as they may constitute violations of data protection laws or breach of contracts.
The potentially most persistent consequence of a security incident is the damage to the organisation’s reputation. Security incidents can lead to the erosion of customer and public trust in the organisation’s capabilities of handling personal data safely. Over time, this damage can eventually cause a decline in customers, reduced sales and difficulty in attracting new business, as potential clients and costumer can find themselves gravitating towards competitors who may have stronger security measures in place.
Preparing for a Data Breach
Creating an incident response plan and understanding its benefits
An incident response plan is a set of steps that must be followed when a personal data breach is suspected or identified. It should cover the detection, containment, investigation, documentation and reporting of personal data breaches. Responsibility for handling personal data breaches must also be assigned within the incident response plan.
Having a well-structured incident response plan has many considerable benefits. For example, it allows the organisation to respond to incidents quickly, thus reducing the potential impact and harm on the affected individuals and the organisation.
A well-structured incident response plan streamlines the efforts of handling security incidents, ensuring an efficient decision-making process during stressful times. Efficient decision-making is crucial because it minimises downtime and restores normal operations more swiftly. Furthermore, an incident response plan can demonstrate the proactiveness and responsibility of the organisation which will aid in fostering customer and public trust. It will also be beneficial to the organisation’s reputation and good standing with the Information Commissioner’s Office (ICO) who is responsible for investigating the organisation’s handling of personal data following a personal data breach (in the United Kingdom).
Establishing an incident response team
You should also consider establishing a dedicated team that is responsible for handling security incidents. This should be a team of designated individuals who have the necessary set of skills and experience to coordinate the response to an incident. The team could consist of IT and cybersecurity experts, legal compliance officers, members of the communications team, and senior stakeholders.
Detecting and Responding to a Data Breach
When a suspected breach is first detected, it is crucial to capture essential information needed for the subsequent investigation into the breach. For cyber related incidents, most organisations have an intrusion detection system which notifies them of when a suspected intruder accesses the system. This will fall a part of their cyber incident response plan.
If any systems are affected, it is vital to investigate and respond quickly to ensure business continuity. As a first step, record the date of time of the breach and its detection and the individual who has detected the breach. Report the security incident to the incident response team or responsible individuals as set out in the incident response plan.
The next steps should be the immediate containment of the breach by identifying the root cause of the breach, eradicating it by restricting access to the compromised information and/or isolating affected systems or networks and/or removing or disabling compromised accounts. Mitigation steps should be introduced to address any potential risk caused by the security incident. Once the incident is contained and adequate mitigation steps are introduced, the focus should be on recovering from the breach by taking steps to restore normal operations and availability.
Initial response actions to take
Once an incident is first detected, it’s vital to have an incident plan that details the steps to take. This will often include noting the date and time of the detection, the date and time the incident was believed to take place, and to notify all relevant stakeholders affected by the incident. This can include senior management, human resources, your data protection team and your media or communications teams.
If the incident seems to be connected due to account access or a compromised account, it is advisable to change account passwords to prevent the same threat actor or similar threats accessing the account in the same way. However, this is often difficult to know without a forensic investigation taking place.
Notifying Affected Parties
Depending on the context and the circumstances of the data breach and following the conducted risk assessment, you may be required to notify others about the incident, which is often referred to as a breach notification.
Notifying the supervisory authority under Article 33 UK GDPR
Once a data breach has occurred, you will have to identify whether it poses a risk to the rights and freedoms of the affected individuals. If that is the case, you will have to notify the relevant supervisory authority within 72 hours of becoming aware of the personal data breach. In the UK, this would be the Information Commissioner’s Office (ICO).
You may not always be able to conclude your investigation and risk assessment within the 72 hours timeframe. Nonetheless, you cannot delay the notification of the ICO. You should notify the ICO within the 72-hour timeframe and provide the required information in phases, as more information is revealed over the course of your investigation.
If your assessment concludes that the data breach poses no risk to the rights and freedoms of the affected individuals, you do not need to notify the ICO. However, it is important for you to be able to justify your conclusion and it is highly recommended to document your decision and justification.
Notifying individuals under Article 34 UK GDPR
Besides informing the supervisory authority, you may also be required to notify the affected individuals where the data breach is likely to pose a high risk to their rights and freedoms. This notification needs to be provided without undue delay.
This provision under the UK GDPR has a higher threshold than the one for notifying supervisory authorities. In some rare cases, where the data breach is likely to cause serious harm to an individual, it may be relevant to consultant a law enforcement agency for protection and mitigation.
Notifying the data controllers
If you are processing personal data on behalf and under the instructions of a separate entity, you are acting as the processor. The other entity who is determining the purpose and means of the processing is defined as the controller. If you detect a personal data breach concerning the personal data of the controller, you have to inform them about the incident as soon as possible. This is both a legal and contractual requirement.
In instances where you are acting as the processor, you are not required to complete a risk assessment yourself. This obligation lies with the controller. You are required to inform them about the incident and to support them in their investigation and risk assessment.
Public communications
In some cases, organisations may think it best to put out a public message regarding the breach. This often happens when a larger organisation who holds a large dataset cannot reasonably contact all of the affected individuals in the breach. As such, they often decide to send out a public message to via a media statement or a mass email to subscribers or users who are likely to be affected by the incident. It is good to work in tandem with any communications or public relations departments to decide the best course of action and who may be able to provide advice on how to proceed.
Investigating the Data Breach
Launching an investigation to gather evidence and analyse the breach
It is crucial that every suspected data breach is properly investigated by the incident response team to establish the root cause of the incident. Evidence relating to the detection of and the response to the incident should be gathered and analysed. This analysis should enable the team to understand how the breach occurred, whether it was a result of human error, technical failure or malicious activity. This understanding allows the team to verify the root cause of the incident. The findings should inform the response to the incident to prevent further damage from materialising.
Risk assessment
Once the details of the security incident have been established and the root cause and its implications identified, the incident response team should conduct a thorough risk assessment. This risk assessment should determine the scope of the incident by identifying the data that was compromised, the number of individuals that are potentially affected and the level of sensitivity of the data involved. The assessment must include the evaluation of the risks. This evaluation must consider the potential damage and harm to the affected individuals and organisation caused by the security incident.
Documenting the investigation
The results of the investigation should be documented in detail. It should capture the lessons learned from this incident. This will serve as reference for the future and will inform the organisation about vulnerabilities and areas of improvement that need to be addressed. It’s important to document any lessons learned from each incident to continue improving your incident response and incident prevention.
Post-Incident Activities
Reviewing the incident response plan to identify lessons learned
With every security incident, valuable experience and insights can be gained which inform the incident response team on areas that work and areas that need improvement. The incident response plan should be reviewed regularly with that in mind. If any shortcomings in the incident response plan are identified, they should be addressed, and changes should be implemented to both prevent future personal data breaches and ensure effective handling and mitigation of security incidents.
Implementing changes to prevent future data breaches
Often, data breaches can highlight weaknesses in your information security controls, identify compromised systems, a weakness in staff awareness, identify weak incident response plans or non compliance generally. Many incidents fall down to user error, whether that’s a failure to spot phishing emails or a lack of due diligence before disclosing data.
It’s essential to use data breaches as a learning tool of how your organisation can improve. There is almost always something you can do after an incident to mitigate the likelihood of it happening again. Often, involving the appropriate parties in your organisation is important to share knowledge and insights of how to improve.
Creating a risk on a risk register after an incident allows you to actively track these risks and your plans to mitigate them in the future.
Conclusion
In conclusion, responding effectively to a data breach is crucial in mitigating the potential impact on both individuals and organisations.
By being vigilant, proactive, and prepared with a comprehensive incident response plan, organisations will be well-equipped to handle any potential security incident. By regularly reviewing and meaningfully engaging with the incidents and the incident response plan, the organisations will not only recover from a breach but also emerge stronger and more resilient.
For more information or assistance with responding to security incidents, get in touch with us to see how we can support you and your business.
