Sunday, 14 February 2016

Help, it's all gone Pete Tong (wrong)! What to do when a data breach happens.

I was at a conference the other day where the speaker said that information security is low on the list of a company's priorities until it goes wrong.There was a discussion about Talk Talk and how the weakness in their cyber security was well known in IT circles. How much would it have cost Talk Talk to make the necessary changes to the system? I am guessing significantly less than the £80m it has cost them in the four months since the breach.

So what is a data breach? Simply this is when personal information ends up somewhere it isn't supposed to. The big breaches that hit the press involves lots of people's information but in smaller companies it can be as simple as a letter intended for one person being incorrectly sent to someone else, a spreadsheet of information being sent to the wrong email address or a fax being sent to the wrong number. It should not take your organisation to lose lots of information before it takes action. Each breach is an indication that there is something wrong with your systems, whether that be the actual process followed, the equipment or failing to train the individual. Learn from it.

A report by PWC shows that almost all businesses had experienced at least one data breach incident in the past year, with 90% of large organisations and 74% of small businesses reporting a security breach in the survey. In addition to the reputational damage and the cost of "fixing" the weakness, there is the disruption to the business.

The most costly breaches are malicious or criminal attacks, such as hacking.

Negligent employees are the top cause of data breaches.

In many organisations, the same personal information is available to a number of different departments, this increases the potential of a breach as more staff have access. Personal information is a valuable business asset, yet we don't always treat it that way.

So what happens when it goes wrong and there is a data breach?

Here's your basic action plan:
1 - Can you get it back? Do you know where it is and can you retrieve it?
2 - Do you know what information has been breached, who it is about and what the information was? In this case you will need to consider whether the information that has been released could cause potential damage or distress to the individual. You may then need to contact affected individuals and inform them of the breach. You may also need to contact the ICO and notify them of the breach.
3 - Investigate and remedy how the breach occurred so that further breaches are avoided. This may involve specialist advice or skills.
4 - Contact the police if applicable.
5 - Continue to update those who need to know with information about the incident.
6 - Create a policy which shows how you will handle a loss of data. This helps everyone understand what they should be doing.
7 - Train your staff in data protection compliance so they understand the importance of good data management and security.

Please remember that these are the basics, I would always advise that you seek professional advice for your circumstances. Remember you have already made a mistake by losing the information, don't compound it by not dealing with the breach correctly.

If you would like to discuss your data protection arrangements then please get in touch. 

No comments:

Post a Comment