How to Deal with a Data Security BreachPosted in : Business Legal on Data Security on 4 October 2017
David Fagan of Business Legal explains how to deal with a data security breach. He explains what a data security breach is; how to recover the situation effectively; when you are required to notify data subjects, and consequently, when you are required to report a data breach to the Data Protection Commissioner.
David suggests four actions points when attempting to rectify a data security breach and mitigate the considerable and potentially very serious implications of a breach. He advises organisations to assess any ongoing risk and evaluate the effectiveness of their response to a data breach in order to identify any weaknesses and prevent a breach in the future.
Note: David Fagan is speaking at the Data Protection Update: Ensuring your HR Department is GDPR-Compliant conference at the Radisson Blu Hotel, Dublin Airport on 6th March 2018. Book now to secure your place!
Well, first, what is a data security breach? Well, in essence, it's where data is accessed, viewed, amended, changed in some way that is unauthorised. In essence, if a person is not authorised to touch the data, touches the data, then there's a security breach.
There are essentially four elements to dealing with security breaches. Firstly, containment and recovery. First question. If there's a security breach and you found out about it, you need immediate containment of that situation. So who needs to know immediately about this breach?
You may consider later things like who investigates the breach and appointing somebody to do that, but that's for the future. Right now you need to know is there anything that can be done to recover this loss. For example, just because there has been a data breach does not mean that anyone has viewed the data yet. Perhaps it may not even be a data breach, even though you've temporarily lost control of that data. For example, if you use…if you have a laptop which is encrypted and you lose that laptop, if the encryption is sufficient in the view of the Data Protection Commissioner to prevent viewing, that will not be a data breach.
That's clearly a potential data breach but perhaps you can recover the situation. Perhaps you can recover the laptop, perhaps you can access the laptop remotely and delete the data. Or perhaps you can simply convince the Data Protection Commissioner that the encryption is such that the data is inaccessible. All of these are steps that can be taken effectively to recover the situation.
Reporting a breach to the Data Protection Commissioner
Once you've considered the initial situation as to what can be done to recover the situation, if at all possible, you should consider then an investigation of the matter. You are required to report any data breaches to the Data Protection Commissioner within a reasonable period of time. And the Data Protection Commissioner will generally advise you to notify the data subjects.
However, there are circumstances where if the Data Protection Commissioner is comfortable that data is inaccessible, that you may not have to notify the data subjects. Therefore, one question to ask yourself at the very early stages is, "Am I going to have to notify the data subjects?” It can be embarrassing to notify the data subjects of a breach, only to discover later that in fact there was no breach, and that you were not required to notify those data subjects.
Once the initial steps have been taken to try and recover the situation as best as possible and you feel it necessary to notify the Data Protection Commissioner and/or the data subjects, you may wish to carry out an investigation. The Data Protection Commissioner will certainly require this in circumstances where there's been an actual data breach, and it appears that data has been accessed or viewed by other parties.
The investigation report can often simply be notified to the Data Protection Commissioner by email, covering such issues as a description of the incident and a timeline of the events taking place, a description of the nature of the data and the numbers affected and whether there’s a data process involved, advising the DPC of the members of the investigation team and the actions taken to contain the breach and also the actions taken to prevent future occurrence.
Part of this should be an assessment of ongoing risk. Not all breaches are significant. The fact that a list of names has gone missing could be at the lower end of a data protection breach. On the other hand, financial data, medical data going missing is very significant. So when assessing the ongoing risk, what type of data is involved is a good question to ask. How sensitive the data is a good question to ask. How many data subjects are affected is a good question to ask. What protections are in place to minimise the risk of damage, and what steps can be taken to mitigate the ongoing impact? Is the information encrypted?
Notifying data subjects
One of the reasons why data subjects are often notified very early is because the data subject may have an ability to mitigate the risk themselves. For instance, if credit card details have gone missing, it will be possible for the data subject to change passwords, access codes and notify their bank.
If you are considering notifying the DPC, the following are the requirements. The Code of Practice says that the Data Protection Commissioner should be notified without delay, except if there are less than 100 data subjects and the breach does not include sensitive personal data or data of a financial nature. The Data Protection Commissioner will then advise and any other notifications required.
Whether you notify the data subjects is a different question. If you do notify them, you should notify them at the most appropriate method of communication. Typically this will not be by letter. It will typically be by the fastest method of communication. You should tell them how and when the breach occurred, what data is involved, what steps you have taken to mitigate and what steps you believe they can take to mitigate any adverse effects from the breach.
Evaluating your response
Finally, when the breach is over, you will want to evaluate your response to the data breach. You want to evaluate the effectiveness of the response. You’ll want to understand the cause to see if that can be prevented in the future. You want to identify improvements in process and procedures that you can take, identify any other weaknesses that seem connected to that breach. You may wish to monitor staff awareness and training, and you may wish to update your policies as a result of that. It's always a good idea to document lessons learned, so that the same breach is not repeated twice.This article is correct at 04/10/2017
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.