data breaches

Data Breaches Happen

How will you deal with one?

 

Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word can be as serious as a classic confidentiality breach.

Part of your training for all staff needs to be about recognising when a data breach has happened. For schools’ breaches often involve misplaced papers or devices or emails sent to the wrong person. Although hacking does occur it represents a small fraction of the breaches reported by educational establishments.

Staff should know to look for:

  • Information being put in the hands of the wrong people
  • Paperwork or devices being lost or stolen
  • Significant errors in information – including being out of date
  • Issues with email both recipients and content

Handling a breach effectively is practical, preventing breaches is nearly impossible

 

Here are some elements you’ll need in your breach plan:

 

INVESTIGATION

The fundamentals

You’re in the 72 hour window.

  • Get the facts, don’t look for blame
  • Involve the person who discovered the breach
  • Make records, you’ll need them later

Critical things to know.

  • How many people might be affected
  • What sort of data is affected and how much of it
  • An initial understanding of how the breach happened
  • Has anyone been affected by the breach
  • How might people be affected

Difficult, but must be done.

  • If you think criminal action is involved report it to the police
  • You might have to initiate disciplinary action

 

MITIGATION

Where possible;

Depending on the nature of the breach, there may be little that can be done

  • The type of breach governs what can be done
  • The objective is to minimise the harm that may come from the breach
  • By acting quickly then it’s possible to stop any harm

There is no rocket science here.

  • Lost devices may be able to be remotely locked or wiped
  • Credentials can be forced to be changed (even if that’s everyone)
  • Incorrectly distributed material can be recovered
  • Inaccurate information can be updated

But remember:

  • Keep records of all the actions you take
  • Don’t create a new breach by updating with inaccurate information
  • Rushing to tell affected individuals may make the situation worse

 

NOTIFICATION

A need to know basis:

This is where you need a level head and good advice

  • You need the initial investigation and know that mitigation is underway
  • This is a judgement about the risk to the data subjects
  • You don’t have to have evidence of harm before reporting

The basic decision seems simple.

  • What might happen because of the breach
  • How likely are those consequences?
  • What might the emotional impacts of the breach be
  • What might people need to do to protect themselves from further harm

Reporting requirements:

  • All the information gathered in the investigation is required
  • If you can, report by calling the ICO – have the paperwork ready
  • The report is often not the end of the process

 

REPAIR

Stopping it happening again.

The reason why you need to keep a breach record:

  • Record the details of every breach
  • Patterns can tell you something is wrong
  • Having no breaches logged probably means you’re not spotting them

Delivering a long-term fix can require several actions, for example:

  • Identifying that there is a need for additional training
  • Implementing additional protections to existing situations (having lockable drawers for example)
  • Introducing new working methods (cloud storage rather than USB storage)

Sometimes more detailed work is required.

  • If a particular system or process has been involved in more than one breach, you need to understand why
  • Undertaking a Data Protection Impact Assessment will help you isolate the weaknesses
  • This may lead to significant changes to the way you process personal data.

 

For further information on managing breaches, speak to our team today.