Any organization can suffer a data breach. Whether it is as simple as misdirected emails to cyber-attacks stealing and exposing confidential data. There can be serious repercussions. Typically data breaches are caused by:
Innocent mistakes – an employee emailing confidential information to the wrong person
Malicious insider – an unhappy or former employee purposely creating the breach
Hacking – the most talked about data breach. A malicious third party committing intentional cybercrime to steal data that has the potential to cause reputational damage, loss of business, and disciplinary action. A ransom is often requested to get data back.
ICO/DPC expectations for a data breach
In the event of a data breach:
- You need to be able to detect, investigate, risk assess, and record any breaches.
- You must centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).
- If you consider it unnecessary to report a breach, you must document the reasons why your organization considers the breach unlikely to result in a risk to the rights and freedoms of individuals.
- You must show how you analyze all personal data breach reports to prevent a recurrence.
- You must report them as appropriate.
- You must have procedures in place to assess all security incidents and report relevant breaches to the ICO within 72 hours. (Even when all the information is not yet available).
- You must record how you notified affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
How effective are your data breach accountability measures?
- Could staff explain what constitutes a personal data breach and could they identify one?
- Do they know how to report an incident?
- Are staff aware of the policies and procedures and are they easy to find?
- Do staff understand how to conduct the risk assessment?
- Do they know when a breach needs to be reported to the ICO/DPC?
- Do you analyze all personal data breach reports to prevent a recurrence?
- Do you record recommendations that are made and if and when they are actioned?
- Do you have procedures in place to detect, manage, and appropriately record data incidents and breaches?
- Can your employees escalate a breach notification?
- Does your logging, recording, documenting, and actioning of breach data have a full audit trail that is easily searchable?
- Can you clearly see who is responsible for what actions?
HOW WATERFORD TECHNOLOGIES SOFTWARE MEETS REGULATORY EXPECTATIONS
Our ComplyKEY data breach software provides a framework and means to record, investigate, manage, and most importantly, demonstrate intent to prevent repeat occurrences and improve processes keeping the regulatory bodies at bay. It achieves this by
Detecting, managing, and recording incidents and breaches
- You have a central dashboard giving a high-level summary of all actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).
- Dedicated roles or team access to manage security incidents and personal data breaches.
- Easy escalation of a security incident to the appropriate person or team to determine whether a breach has occurred.
Assessing and reporting breaches
- In workflow steps to notify the relevant authority of a breach within 72 hours of becoming aware of it.
- In workflow guidance on whether to report a breach or not.
- Clear in workflow guidance on what information must be given to the ICO about the breach.
- Clear documentation on each breach reported or not.
- A safe secure hub to document the reasons why your organization considers a breach likely or unlikely to result in a risk to the rights, and freedoms of individuals.
Reviewing and monitoring
- Analyse all personal data breach reports to prevent a recurrence. Monitor the type, volume, and cost of incidents.
- A central dashboard to understand data breach themes or issues over time. This analysis can be reviewed by groups with oversight for data protection and information governance.
Internal audit program
- Monitor your own data protection compliance, and regularly test the effectiveness of the measures you have in place.
Email archiving with MailMeter ensures that you don’t lose access to your emails.