Data Breaches Happen
How will you deal with one?
Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word can be as serious as a classic confidentiality breach.
Part of your training for all staff needs to be about recognising when a data breach has happened. For schools’ breaches often involve misplaced papers or devices or emails sent to the wrong person. Although hacking does occur it represents a small fraction of the breaches reported by educational establishments.
Staff should know to look for:
- Information being put in the hands of the wrong people
- Paperwork or devices being lost or stolen
- Significant errors in information – including being out of date
- Issues with email both recipients and content
Handling a breach effectively is practical, preventing breaches is nearly impossible
Here are some elements you’ll need in your breach plan:
You’re in the 72 hour window.
- Get the facts, don’t look for blame
- Involve the person who discovered the breach
- Make records, you’ll need them later
Critical things to know.
- How many people might be affected
- What sort of data is affected and how much of it
- An initial understanding of how the breach happened
- Has anyone been affected by the breach
- How might people be affected
Difficult, but must be done.
- If you think criminal action is involved report it to the police
- You might have to initiate disciplinary action
Depending on the nature of the breach, there may be little that can be done
- The type of breach governs what can be done
- The objective is to minimise the harm that may come from the breach
- By acting quickly then it’s possible to stop any harm
There is no rocket science here.
- Lost devices may be able to be remotely locked or wiped
- Credentials can be forced to be changed (even if that’s everyone)
- Incorrectly distributed material can be recovered
- Inaccurate information can be updated
- Keep records of all the actions you take
- Don’t create a new breach by updating with inaccurate information
- Rushing to tell affected individuals may make the situation worse
A need to know basis:
This is where you need a level head and good advice
- You need the initial investigation and know that mitigation is underway
- This is a judgement about the risk to the data subjects
- You don’t have to have evidence of harm before reporting
The basic decision seems simple.
- What might happen because of the breach
- How likely are those consequences?
- What might the emotional impacts of the breach be
- What might people need to do to protect themselves from further harm
- All the information gathered in the investigation is required
- If you can, report by calling the ICO – have the paperwork ready
- The report is often not the end of the process
Stopping it happening again.
The reason why you need to keep a breach record:
- Record the details of every breach
- Patterns can tell you something is wrong
- Having no breaches logged probably means you’re not spotting them
Delivering a long-term fix can require several actions, for example:
- Identifying that there is a need for additional training
- Implementing additional protections to existing situations (having lockable drawers for example)
- Introducing new working methods (cloud storage rather than USB storage)
Sometimes more detailed work is required.
- If a particular system or process has been involved in more than one breach, you need to understand why
- Undertaking a Data Protection Impact Assessment will help you isolate the weaknesses
- This may lead to significant changes to the way you process personal data.
For further information on managing breaches, speak to our team today.