HOW TO MANAGE A DATA BREACH

Transcription

1 MANAGING COMPLIANCE RISK IN A RAPIDLY CHANGING ENVIRONMENT HOW TO MANAGE A DATA BREACH FRIDAY 17 JUNE

2 2

3 What is a data breach? Unauthorised disclosure Inappropriate access Loss Destruction Alteration Theft Examples Personal data sent to the wrong address Loss of laptop, usb (memory) key or paper records Transfer of personal data to a third party without consent Unauthorised access to systems (cyber attack / hacking) 3

4 Your obligations The Data Protection Acts 1988 and 2003 (Section 2(1)(d) of 1988 Act as amended by Section 3 of 2003 Act) place a specific obligation on Data Controllers to take appropriate measures to protect the security of personal data. The Data Protection Commissioner s Personal Data Security Breach Code of Practice helps organisations to act appropriately when they become aware of breaches of security involving client or employee personal data. 4

5 What to do if you become aware of a breach 1. Don t panic 2. Establish if personal data has been compromised 3. Give immediate consideration to informing those affected 4. Report to the Data Protection Commissioner within two working days of becoming aware of the breach 5. Investigate: what (data), who (clients), how, when 6. Escalate internally 7. Remediate: preventative controls 5

6 The focus of the Office of the Data Protection Commissioner in such cases is on the rights of the affected individuals. Notification to the Office of the Data Protection Commissioner allows them to advise at an early stage how best to deal with the breach and remediation. Notifying affected individuals allows them to consider the potential consequences and take appropriate measures. 6

7 Notification to Data Subjects Notification should contain information concerning: The nature of the breach Recommended measures to mitigate possible adverse effects A contact point for further assistance This can be a public notification (website or media) where individuals are not immediately identifiable. 7

8 Exceptions to the requirement to notify data subjects If the data concerned is protected by technological measures the data controller may conclude that there is no risk to the data and no need to inform data subjects. Such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard i.e. make the data unintelligible to anyone not authorised to access it. 8

9 Initial notification to the Data Protection Commissioner The Code of Practice sets a timeframe of two working days to inform the DPC after becoming aware of the breach. Some incidents may take a considerable period to fully investigate and resolve. For initial notification to the DPC all that is required is a description of the known facts and the steps taken to address the issue. Note that no personal data should be included. 9

10 Exceptions to the requirement to notify the Data Protection Commissioner The only exceptions are when the data subjects have been informed without delay. the loss affects no more than 100 data subjects. the loss does not involve sensitive or financial personal data. 10

11 Outsourcing / Data Processors Data processing contracts should contain a requirement for processors to report any breaches involving personal data to you, the data controller, as soon as they become aware of them. Section 2(3)(a) Data Protection Acts 11

12 Investigate, Remediate & Document Keep a log of data breaches brief summary record Investigate to establish: how the incident occurred what data was affected which customers or employees were affected and what additional controls can be put in place to prevent a reoccurrence (root cause analysis) Implement remediation plan 12

13 Put a Data Breach Policy in place Include a clear escalation process Circulate and educate 13

14 For Further Information See the Data Protection Commissioner s website Useful information on practical examples of prior breaches can be found in the case study section under the heading Security of Data. 14

15 15

16 IPB Insurance 1 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland Tel: Fax: info@ipb.ie