[BreachExchange] My business has had a data breach, what next?

Thu Aug 17 19:17:25 EDT 2017

http://www.continuitycentral.com/index.php/news/technology/
2232-my-business-has-had-a-data-breach-what-next

Any type of data breach, whether due to an external hacking incident or an
internal staff error, is a significant issue that needs immediate
attention.  A key aspect of the legal requirements surrounding a data
breach is to demonstrate that your business or organization takes the issue
very seriously and is proactively seeking to not only protect any
individuals who may be affected, but is also taking active steps to improve
systems and processes quickly to prevent a similar issue occurring again.

Communications following a data breach, both internally and externally,
need to be carefully managed to convey these key messages effectively.

In the immediate aftermath of a breach the most important thing to
establish, as quickly as possible, is exactly what data has been
compromised and the number of individuals affected.

You need to focus on confirming exactly what has happened and how any risks
created can be mitigated, prepare your statement and reassure your
customers and employees that you are in control of the situation.

Knowing precisely what you are dealing with is key in the early stages to
allow you to manage the next steps around communication.  Whilst it is
important to act without delay, don’t feel that you need to rush to make
available information about a data breach incident until you have been able
to verify it. Internally, communications need to take a structured approach
to support a swift investigation and establish exactly what data has been
compromised and to what extent.

Under current UK laws there is no mandatory requirement to notify the
regulator, the Information Commissioner’s Office (ICO), or the individuals
affected. However, changes to the data protection laws, which will come
into effect within the next 12 months, will require any business that
experiences a data breach to report it to the ICO within 72 hours of
becoming aware of it, and then to notify affected individuals if the breach
is likely to impact on their rights and/or freedoms. In turn, this will
mean that having a rapid response approach to breaches will become even
more critical in the near future.

Once you’ve determined which legal requirements you are required to fulfil
regarding notifying the ICO and affected individuals, and whilst ensuring
you are not disclosing any confidential information, key messages to be
relayed publicly should be kept short and aim to include:

Any reassurances you can give regarding how serious the breach is;
General information you can give about what type of data is affected;
Advice to individuals on how to prevent identity fraud which could occur as
a result of using the information which may have been compromised.

This information should only be issued in a manner which does not impact on
any ongoing investigation into the incident itself or any attempts to
further protect systems and data following the breach.  However, if you are
able to confirm that no payment related data, or medical or health related
data is involved, this can be a useful message to begin reassuring the
public.

You should also provide information regarding the communication that the
affected individuals can expect from your business following the breach.
Where possible, share security assurances such as confirming that you won’t
be contacting any of your employees or customers via email or phone asking
for passwords or account details in the coming weeks.  This will provide
reassurance to your community; it shows that you care about their
individual safety and that you are working towards a solution.  If personal
passwords have been compromised, sharing details of how users can change
their passwords is also a good place to start.

Finally, it’s worth bearing in mind that it’s not just the breach that
needs your attention during the immediate incident response phase, but also
the channels of communication you use to contact the affected individuals
to educate and inform them about the situation.  It’s important to think
about how best you can ensure that any messages surrounding the data breach
efficiently reach those who may be affected.  In addition to a press
statement, you should also consider issuing information to your customers
and employees either via an email newsletter, by post, or even a banner and
news article on your website homepage.  This will ensure that the message
reaches anyone affected as quickly and as transparently as possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170817/a6d94bf1/attachment.html>