[BreachExchange] My business has had a data security breach, what do I do now?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 14 19:34:22 EDT 2017


http://www.itproportal.com/features/my-business-has-had-
a-data-security-breach-what-do-i-do-now/

Any type of data breach, whether due to an external hacking incident or an
internal staff error, is a significant issue that needs immediate
attention.  A key aspect of the legal requirements surrounding a data
breach is to demonstrate that your business or organisation takes the issue
very seriously and is proactively seeking to not only protect any
individuals who may be affected, but is also taking active steps to improve
systems and processes quickly to prevent a similar issue occurring again.
Communications following a data breach, both internally and externally,
need to be carefully managed to convey these key messages effectively.

In the immediate aftermath of a breach the most important thing to
establish, as quickly as possible, is exactly what data has been
compromised and the number of individuals affected.

You need to focus on confirming exactly what has happened and how any risks
created can be mitigated, prepare your public and internal statements, and
reassure your customers and employees that you are in control of the
situation.  Knowing precisely what you are dealing with is key in the early
stages to allow you to manage the next steps around your communications.

While it is important to act without delay, do not rush to make information
about a data breach incident available until you have been able to verify
it. Internally, communications need to take a structured approach to
support a swift investigation and establish exactly what data has been
compromised, and to what extent.  You will also need to identify and notify
those in the organisation who need to be involved in that investigation,
and plan the different lines of enquiry each is to pursue to cover off all
eventualities quickly and effectively.

Clearly, it becomes a lot easier to be responsive in a post-security breach
setting if your business already has a good grip on what data it holds,
where it is held and any pre-identified potential vulnerabilities within
your technological systems and operational processes.  Changes to the data
protection legislation within the next 12 months will require organisations
to be much more self-aware and transparent about their data assets.
Getting this aspect of good data governance right, in advance of any
incident occurring, would put any business in a much stronger position to
react to a breach in the manner that the regulator expects.

Given the dependence on third parties to handle and process data as part of
an outsourced service, knowing the details of the data held, how it is held
and where, is the kind of reassurance any service provider will need to be
able to disclose.

Under current laws, there is no mandatory requirement to notify the
regulator, the Information Commissioner’s Office (ICO), or the individuals
affected by a data security breach.  However, changes to the data
protection laws, coming into effect with the General Data Protection
Regulation on 25th May 2018, will require any business that experiences a
data breach to report it to the ICO within 72 hours of becoming aware of
it, and then to notify the affected individuals if the breach is likely to
impact on their rights and/or freedoms.  There are some exemptions to these
new mandatory notification requirements that need early consideration, but
these are very limited in scope.  In turn, this will mean that having a
rapid response approach to breaches will become even more critical in the
near future.

Once you’ve determined which legal requirements you are required to fulfil
regarding notifying the ICO and affected individuals, and while ensuring
you are not disclosing any confidential information, key messages to be
relayed publicly should be kept short and to the point, and aim to include:

- any reassurances you can give regarding how serious the breach is;  l
-  general information you can give about what type of data is affected;
and
- advice to individuals on how to prevent identity fraud that may occur as
a result of using the information which may have been compromised.

This information should only be issued in a manner that does not impact on
any ongoing investigation into the incident itself, or any attempts to
further protect systems and data following the breach.  However, if you are
able to confirm that no payment related data, or medical or health related
data is involved for example, this can be a useful message to begin
reassuring the public.

You should also provide information regarding the communication that
affected individuals can expect from your business following the breach.
Where possible, share security assurances such as confirming that you won’t
be contacting any of your employees or customers via email or phone asking
for passwords or account details in the coming weeks.  This will provide
reassurance to your community; it shows that you care about their
individual safety and that you are working towards a solution.  If personal
passwords have been compromised, sharing details of how users can change
their passwords is also a good place to start.

Finally, it’s worth bearing in mind that it’s not just the breach and
resulting investigation that needs your attention during the immediate
incident response phase, but also the channels of communication you use to
contact the affected individuals to educate and inform them about the
situation.  It’s important to think about how best you can ensure that any
messages surrounding the data breach efficiently reach those who may be
affected.  In addition to a press statement, you should also consider
issuing information to your customers and employees either via an email
newsletter, by post, or even a banner and news article on your website
homepage.  This will ensure that the message reaches anyone affected as
quickly and as transparently as possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170914/0fa2a2ca/attachment.html>


More information about the BreachExchange mailing list