In the first article of his GDPR data protection series, Brandfire Cybersecurity consultancy founder Stewart Twynham explains the steps to follow in the event of a data breach.
In April 2016, an NHS Trust was fined £185,000 for publishing a pivot table with its data source (the personnel records of 6,574 employees) still attached.
Content seriesView full content series
In August 2016, a nursing home was fined £15,000 after a laptop containing the unencrypted records of 29 residents and 46 staff was stolen.
In June 2017, an SME was fined £60,000 after 26,331 credit card numbers (including the security code) were stolen from its website.
In August 2017, Talk Talk was fined £100,000 after details of 21,000 UK customers were stolen by staff at its IT supplier in India, Wipro.
These are four very different breaches and an indication of the diversity of issues that Data Protection Officers (DPOs) face. I will be examining each of these examples and others in more detail in the coming months.
Data breaches are fast becoming a fact of life for modern businesses simply because we process more and more data, often on the move. Whilst the risk of a “category one cyber attack” might be grabbing the headlines at the moment, for many businesses the most proximate threats still come from the temp on reception sticking an important document into the wrong envelope or a member of staff losing an unencrypted device. Human factors accounted for almost half of the notifications to the Information Commissioner’s Office (ICO) last quarter.
Most breaches will become notifiable
One of the big changes under the GDPR is mandatory breach notification.
Broadly speaking, businesses will have to inform the ICO within 72 hours of any personal data breach which affects people’s “rights and freedoms”. Businesses will also have to inform data subjects “without undue delay” if there is a “high risk” to those rights and freedoms.
Currently, health is the only sector required to notify the ICO, which is why it generates around a third of all notifications.
How not to handle a data breach: Equifax
How a data breach is handled will have a huge impact far beyond the ICO. A loss of trust in the brand, a fall in share price and departures at the top are all possible.
In 2017, the credit reference agency Equifax failed to patch a critical vulnerability in its web servers, so two months later someone broke in. It took a further two months for Equifax to spot the intruder, by which time it had filtrated the records of 143 million people.
Equifax then decided to keep quiet for six weeks whilst deciding what to do. When Equifax finally went public it offered free identity theft monitoring with a sting in the tail: the customer must waive all rights to sue Equifax. Despite earlier denials, six weeks later the agency admitted that other countries were affected, including 634,000 people in the UK.
The business lost a third of its value and saw the early departure of the Chief Information Officer (CIO), the Chief Information Security Officer (CISO), with the Chairman and Chief Executive, Richard F. Smith, “retiring” just days later.
Putting aside the glaring security blunders, Equifax didn’t have a plan, which meant it took far too long to respond to something that needed their most urgent attention. Even then, the business managed to concoct a half-baked solution (the lawsuit waiver) which told everyone that Equifax wasn’t really interested in its customers at all. Then, they let the bad news drip out until a point was reached that nobody believed them.
A frantic call from a customer, an urgent e-mail from a supplier or comments made on social media may be your first sign of a problem.
It might sound obvious, but unless you have indications to the contrary, treat all reports as a potential security incident and avoid using the term “breach”. Once you use the term, you’ve essentially made it notifiable.
Once you’ve established it is a breach then in the words of Corporal Jones… “Don’t panic!”
Forget the headlines about eye-watering fines; most notifications never result in a penalty and even under the GDPR, penalties will be proportionate and reserved for situations where a catalogue of basic failings has lead to the loss.
The next stage can be summarised in three steps - investigate, protect and communicate.
It is essential you manage by fact but you will also need to move quickly. Your focus should be on the questions that the ICO will be asking you about:
- The nature of the information disclosed
- Who is affected
- The likely consequences to the individuals
- Protect (the data subjects)
Take steps to address the breach or minimise the impact of the breach on the data subjects.
This does not mean coming up with a clever wheeze to prevent future lawsuits as Equifax attempted. Sensible, timely mitigation will be a strong defence in any future ICO investigation.
Elements might include steps to lock down your systems and accounts to protect customers from fraud to notifying banks or credit card companies.
One of the key planks of GDPR is transparency. You will need to be open and honest when communicating with the ICO, the press, social media and data subjects. To use a popular term in PR: tell it all, tell it fast and tell the truth.
Planning is everything
As you will have realised, completing these three steps is almost impossible unless you already have a crisis management plan in place. Here are just some of the issues you might face if you try to tackle this without a plan:
- Your current IT company doesn’t have the forensic skills to determine what happened or even ensure that any intruder is no longer at large
- Your systems are in the cloud. Hosting, development and management are three different companies in different time zones and they aren’t talking to one-another
- You can’t find the right contacts to speak to at the bank
- Your marketing agency doesn’t understand IT, data protection or crisis PR
- None of your management team have ever had any media training, so they cannot field press enquiries
- You haven’t got sufficient time to prepare briefings for the media or information packs for customers
Running through different scenarios will help your business to get prepared. The good news is businesses that understand and prepare for the worst tend to make better and more informed security decisions - decisions which can help prevent breaches happening in the first place.
Next time: Getting those basics right
ICO penalties are issued when businesses fail to get the basics right, so my next article looks at some of the baseline controls every business must have in place.