ALERT! DATA BREACH! How would you respond?

With calm preparation and assurance? Or a face-palming admission that you’ve dropped a huge ging-gang-goolie?

“Taxi for Uber! Taxi for Uber!”

We can’t be sure, but we have a feeling that Travis Kalanick wasn’t a Boy Scout. If he had been, then we’d like to think his organisation might have been better prepared at preventing 57 million of its users’ names, email addresses, and mobile phone numbers from being hacked (including 2.7 million UK customers).

We can’t be sure either of what discussions took place when they discovered the data breach and finally got around to declaring it publicly…

But we can think of one word that might have sprung to mind. And it probably had nothing to do with cabs, data, or bob-a-job.

Being prepared for a data breach is everything. What would you do?

A data breach can take many forms, where a lack of security leads to the destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. And, it’s more than just ‘losing’ data, such as leaving a memory stick or laptop on the train.

It could be something as basic as someone seeing something they shouldn’t, or a deliberate misuse of privilege to access data records; all the way through to accidental, mass destruction of data, or a major security hack á la Uber above.

Yet, even though it’s never any good for anyone – individuals’ private details end up compromised, organisations face lost custom as well as reputational damage – it is possible to safeguard against one and prepare in advance for such an eventuality. Because if it does happen, that’s the time when you need to have a plan more than ever…

So, here are some questions, facts, and figures for you to muse over:

How well do you and your staff know what constitutes a data breach?

What processes do you have in place, in case one occurs?

Do you maintain an internal Data Breach Register and know what you need to record, what type of incidents to report, and what action to take?
For any report, all companies must notify regulators within 72 hours, and affected individuals without undue delay (despite it taking Uber over a year to do so!).

There’s zero tolerance towards data breaches. Fines range from €20M (or 4% of global turnover) for a breach, to an additional €10M (or 2% of global turnover) for failing to comply with the personal data breach notification process.

Then:

How will you assess the level of breach?

Can you immediately identify what information has been breached, how long you’ve had it, and what it’s used for?

Who in your organisation do you need to involve, and how high up does it need to go?

Your DPO (Data Protection Officer), if you have one, should take the lead in any investigations, and in liaising with the ICO (Information Commissioner’s Office).

And finally:

Who will manage the PR communications and fallout, explaining the nature of the breach and reassuring/advising customers of what’s being done/what they should do to prevent further incident (even those unaffected)?

What contingency plans do you have in place to mitigate against bigger breaches? (Learning from previous smaller mistakes can make all the difference).

 

How well prepared would you be?

Ideally, you’ve already taken measures to prevent a data breach from happening in the first place.

However, if one did occur, the previous data-mapping you’ve done should mean that you can rely confidently on your systems and processes – and respond swiftly to curtail the breach’s impact. That’s when knowing exactly what’s what, and where, proves invaluable!

Of course, we hope it never happens, and certainly not of the uber-scale proportions mentioned earlier.

We’re always here though to help you review your processes and make sure you’re as well prepared as you can be… Just get in touch and we’ll show you what you need to do.

And, if there are any left, we’ll even treat you to some toasted marshmallows by the fire. They’re not only for Boy Scouts, you know.

Just don’t mention it to Health & Safety.

Until next time…