My business has had a data security breach, what do I do now?

Any type of data breach, whether due to an external hacking incident or an internal staff error, is a significant issue that needs immediate attention.  A key aspect of the legal requirements surrounding a data breach is to demonstrate that your business or organisation takes the issue very seriously and is proactively seeking to not only protect any individuals who may be affected, but is also taking active steps to improve systems and processes quickly to prevent a similar issue occurring again.  Communications following a data breach, both internally and externally, need to be carefully managed to convey these key messages effectively.    

In the immediate aftermath of a breach the most important thing to establish, as quickly as possible, is exactly what data has been compromised and the number of individuals affected.      

You need to focus on confirming exactly what has happened and how any risks created can be mitigated, prepare your public and internal statements, and reassure your customers and employees that you are in control of the situation.  Knowing precisely what you are dealing with is key in the early stages to allow you to manage the next steps around your communications.    

While it is important to act without delay, do not rush to make information about a data breach incident available until you have been able to verify it. Internally, communications need to take a structured approach to support a swift investigation and establish exactly what data has been compromised, and to what extent.  You will also need to identify and notify those in the organisation who need to be involved in that investigation, and plan the different lines of enquiry each is to pursue to cover off all eventualities quickly and effectively. 

Clearly, it becomes a lot easier to be responsive in a post-security breach setting if your business already has a good grip on what data it holds, where it is held and any pre-identified potential vulnerabilities within your technological systems and operational processes.  Changes to the data protection legislation within the next 12 months will require organisations to be much more self-aware and transparent about their data assets.  Getting this aspect of good data governance right, in advance of any incident occurring, would put any business in a much stronger position to react to a breach in the manner that the regulator expects.    

Given the dependence on third parties to handle and process data as part of an outsourced service, knowing the details of the data held, how it is held and where, is the kind of reassurance any service provider will need to be able to disclose. 

Under current laws, there is no mandatory requirement to notify the regulator, the Information Commissioner’s Office (ICO), or the individuals affected by a data security breach.  However, changes to the data protection laws, coming into effect with the General Data Protection Regulation on 25th May 2018, will require any business that experiences a data breach to report it to the ICO within 72 hours of becoming aware of it, and then to notify the affected individuals if the breach is likely to impact on their rights and/or freedoms.  There are some exemptions to these new mandatory notification requirements that need early consideration, but these are very limited in scope.  In turn, this will mean that having a rapid response approach to breaches will become even more critical in the near future. 

Once you’ve determined which legal requirements you are required to fulfil regarding notifying the ICO and affected individuals, and while ensuring you are not disclosing any confidential information, key messages to be relayed publicly should be kept short and to the point, and aim to include: 

  • any reassurances you can give regarding how serious the breach is;  l
  •  general information you can give about what type of data is affected; and   
  • advice to individuals on how to prevent identity fraud that may occur as a result of using the information which may have been compromised. 

This information should only be issued in a manner that does not impact on any ongoing investigation into the incident itself, or any attempts to further protect systems and data following the breach.  However, if you are able to confirm that no payment related data, or medical or health related data is involved for example, this can be a useful message to begin reassuring the public.  

You should also provide information regarding the communication that affected individuals can expect from your business following the breach.  Where possible, share security assurances such as confirming that you won’t be contacting any of your employees or customers via email or phone asking for passwords or account details in the coming weeks.  This will provide reassurance to your community; it shows that you care about their individual safety and that you are working towards a solution.  If personal passwords have been compromised, sharing details of how users can change their passwords is also a good place to start. 

Finally, it’s worth bearing in mind that it’s not just the breach and resulting investigation that needs your attention during the immediate incident response phase, but also the channels of communication you use to contact the affected individuals to educate and inform them about the situation.  It’s important to think about how best you can ensure that any messages surrounding the data breach efficiently reach those who may be affected.  In addition to a press statement, you should also consider issuing information to your customers and employees either via an email newsletter, by post, or even a banner and news article on your website homepage.  This will ensure that the message reaches anyone affected as quickly and as transparently as possible. 

Emma Roe, Partner and Head of Commercial at Shulmans LLP   

Image Credit: Balefire / Shutterstock