Data Breaches Happen

How will you deal with one?

 

Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word can be as serious as a classic confidentiality breach.

Part of your training for all staff needs to be about recognising when a data breach has happened. For schools’ breaches often involve misplaced papers or devices or emails sent to the wrong person. Although hacking does occur it represents a small fraction of the breaches reported by educational establishments.

Staff should know to look for:

• Information being put in the hands of the wrong people
• Paperwork or devices being lost or stolen
• Significant errors in information – including being out of date
• Issues with email both recipients and content

Handling a breach effectively is practical, preventing breaches is nearly impossible

 

Here are some elements you’ll need in your breach plan:

 

INVESTIGATION

The fundamentals

You’re in the 72 hour window.

• Get the facts, don’t look for blame
• Involve the person who discovered the breach
• Make records, you’ll need them later

Critical things to know.

• How many people might be affected
• What sort of data is affected and how much of it
• An initial understanding of how the breach happened
• Has anyone been affected by the breach
• How might people be affected

Difficult, but must be done.

• If you think criminal action is involved report it to the police
• You might have to initiate disciplinary action

 

MITIGATION

Where possible;

Depending on the nature of the breach, there may be little that can be done

• The type of breach governs what can be done
• The objective is to minimise the harm that may come from the breach
• By acting quickly then it’s possible to stop any harm

There is no rocket science here.

• Lost devices may be able to be remotely locked or wiped
• Credentials can be forced to be changed (even if that’s everyone)
• Incorrectly distributed material can be recovered
• Inaccurate information can be updated

But remember:

• Keep records of all the actions you take
• Don’t create a new breach by updating with inaccurate information
• Rushing to tell affected individuals may make the situation worse

 

NOTIFICATION

A need to know basis:

This is where you need a level head and good advice

• You need the initial investigation and know that mitigation is underway
• This is a judgement about the risk to the data subjects
• You don’t have to have evidence of harm before reporting

The basic decision seems simple.

• What might happen because of the breach
• How likely are those consequences?
• What might the emotional impacts of the breach be
• What might people need to do to protect themselves from further harm

Reporting requirements:

• All the information gathered in the investigation is required
• If you can, report by calling the ICO – have the paperwork ready
• The report is often not the end of the process

 

REPAIR

Stopping it happening again.

The reason why you need to keep a breach record:

• Record the details of every breach
• Patterns can tell you something is wrong
• Having no breaches logged probably means you’re not spotting them

Delivering a long-term fix can require several actions, for example:

• Identifying that there is a need for additional training
• Implementing additional protections to existing situations (having lockable drawers for example)
• Introducing new working methods (cloud storage rather than USB storage)

Sometimes more detailed work is required.

• If a particular system or process has been involved in more than one breach, you need to understand why
• Undertaking a Data Protection Impact Assessment will help you isolate the weaknesses
• This may lead to significant changes to the way you process personal data.

 

For further information on managing breaches, speak to our team today.