Data breaches have become ubiquitous, prompting many organisations to adopt a policy for dealing with them. Just last week, 80 million Social Security records and other sensitive personal data from US health insurance giant Anthem were leaked.
Exactly what you need to do following a security breach is not always that easy to pin down. It is important that the appropriate action is taken promptly to contain the damage and minimise any further losses. The ICO has developed guidance to help organisations identify what needs to be considered in the event of a data breach.
The guidance stipulates four stages of a data breach management plan.
- Containment and recovery
A typical response plan will not only aim to contain the situation, but also to hasten the recovery. Identify and notify individuals or teams who could assist in preventing further damage, by isolating certain areas or networks, for instance. At this point, it is crucial to establish whether there is anything that can be done to recover losses and to limit the damage caused by the breach.
- Assessment of ongoing risk
This step requires assessing the type of data involved, how sensitive the data is, how many records were affected, what impact the records being made public will have (physical, reputational, financial damage, etc.), whether encryption was used (if certain devices have gone missing), and whether any other institutions need to be informed (e.g. banks if cardholder details have been breached).
- Notification of breach
Informing the individuals affected by a breach can help them to take steps to protect themselves. Alternatively, informing the appropriate regulatory bodies will enable those institutions to provide advice and deal with resulting complaints. Issues to consider include regulatory or legal requirements regarding data breach notifications, and the method of informing certain individuals. If children or vulnerable people are affected, these notifications must be treated in the appropriate manner. It is important to provide clear advice on the steps that victims can take to protect themselves, and how your organisation is able to assist them.
- Evaluation and response
Containing the breach and continuing ‘business as usual’ is not acceptable if the breach was caused by poor security practices, such as inadequate policies or a lack of responsibility. It is essential to conduct an assessment of your security practices to identify how the breach occurred and what can be done to avoid a reoccurrence. Maintain a record tracking where the data is held and how it is stored, and consider conducting a thorough information security risk assessment.
vsRisk™ is the quintessential risk assessment tool. Developed by ISO 27001 experts, it automates the information security risk assessment and enables even newcomers to information security to undertake a comprehensive risk assessment.