What should a business do when it has been breached?
When a company or organisation discovers there has been a data breach they have a duty under the GDPR to report it to the relevant supervisory authority. It is expected that this is done within the first 72 hours of becoming aware of the breach if it is feasible. Also, if the breach is likely to have a high risk of negatively affecting individuals’ rights and freedoms they must also be informed as soon as possible.
It is important to make sure there is effective breach detection, investigation, and internal reporting procedures in place. This will help to determine whether or not you need to notify the relevant supervisory authority or the affected individuals or both. Whether you are required to notify the authority about the breach or not you must keep a record of any data breaches that occur in your organisation.
What should individuals be told when there is a breach?
The UK GDPR states that when a breach is likely to be a high risk to the rights and freedoms of individuals you must inform those directly affected straight away if possible without any delay. ‘High risk’ means it is a higher requirement to inform the individuals than it is the ICO. To make that decision you will need to assess the severity of the potential or actual affect on individuals as a result of a breach and the likelihood of this occurring.
If a data breach is severe, the risk is higher, meaning that the potential consequences for individuals could be highly significant. If you are an organisation responsible for people’s data, in these circumstances, you need to quickly inform those impacted, especially if there is a need to mitigate an immediate risk of damage to them. One of the main reasons to tell individuals is to help them take steps to protect themselves from the effect of the breach.
When telling someone about a data breach you need to describe in clear and plain language the nature of the personal data breach and at a minimum:
- The name and contact information of any data protection officer you have, or another point of contact where further details can be obtained.
- A description of the consequences that are likely to occur from the data breach.
- A description of the measures that have been taken or suggested to deal with the data breach and where appropriate, a description of the measures taken to reduce any potential adverse effects on the individual.
Also, if possible, you should offer clear and specific advice to people on the steps they can take to protect themselves and what you can do to help them. Depending on the situation this could include things like:
- Forcing a password reset
- Advising people to use strong and unique passwords
- Letting them know to look out for fraudulent activity on their accounts or possible phishing emails
What other steps should a company take when responding to a data breach?
As previously mentioned it is extremely important to record any and all breaches regardless of whether or not they need to be reported to the ICO. The GDPR requires you to document the facts of the breach, its effects, and the action taken to remedy the situation. This is part of your overall obligation to comply with the accountability principle and allows the verification of the organisation’s compliance with its notification duties under the GDPR.
Like with any incident that is related to security you should investigate whether or not the breach was caused by human error, a systemic issue, or a cyber crime and see how this can be prevented from recurring in the future. Recent statistics have shown that human error is the leading cause of reported data breaches. The risk of this can be reduced by:
- Compulsory data protection induction and refresher training
- Supervising and offering support to employees until they are proficient in their role
- Keeping policies and procedures up to date so employees can report any cases of a near miss
- Working to the idea of “check twice, send once”
- Promoting a culture of trust, employees should feel comfortable and able to report near misses
- Looking at the root causes of breaches and near misses
- Protecting your employees and the personal data your organisation is responsible for. This might include restricting access to systems or implementing organisational and technical measures such as disabling autofill
What happens if a company fails to notify the ICO of a serious data breach?
Failing to notify the ICO when you are required to do so can lead to a substantial fine of up to £8.7 million or 2% of your global turnover. That is why it is important to make sure you have a robust breach-reporting procedure in place so you can detect and notify breaches, on time and to provide the necessary details, unless the data breach is unlikely to result in a high risk to individuals. If you decide you don’t need to report the breach, you need to be able to justify that decision, so you should document it in detail.
What to do if your data has been breached
If you have received a notification from a company that your data has been affected, here are some useful steps you can take.
- Change all your passwords straight away
- Determine from the company what type of information was compromised in the breach
- Contact your bank or credit card company if your financial details have been breached
- Find out what help and guidance the company is offering and accept what they offer, this could be free credit reports or identity theft protection for instance
- Monitor all of your accounts closely
- Be aware of scams
- Pay extra attention to your inbox and be careful what you click on as you could be targeted with phishing emails after the breach
- Use two-factor authentication where possible
· To further protect yourself in the future don’t use the same passwords between different accounts and try to make them as unique as possible