Data Protection Act Data security breach management

Transcription

1 Data Prtectin Act Data security breach management The seventh data prtectin principle requires that rganisatins prcessing persnal data take apprpriate measures against unauthrised r unlawful prcessing and against accidental lss, destructin f r damage t persnal data. One f thse measures shuld be the adptin f a plicy n dealing with a data security breach. This guidance nte sets ut sme f the things an rganisatin needs t cnsider in the event f a data security breach. This nte is nt intended as legal advice, nr is it a cmprehensive guide t infrmatin security. It shuld, hwever, assist rganisatins in deciding n an apprpriate curse f actin if a breach ccurs. A data security breach can happen fr a number f reasns: Lss r theft f data r equipment n which data is stred Inapprpriate access cntrls allwing unauthrised use Equipment failure Human errr Unfreseen circumstances such as a fire r fld Hacking attack Blagging ffences where infrmatin is btained by deceiving the rganisatin wh hlds it Hwever the breach ccurred there are fur imprtant elements t any breach management plan: 1. Cntainment and recvery 2. Assessment f nging risk 3. Ntificatin f breach 4. Evaluatin and respnse 1. Cntainment and recvery Data security breaches will require nt just an initial respnse t investigate and cntain the situatin but als a recvery plan including, where necessary, damage limitatin. This will ften invlve input frm specialists acrss the business such as IT, HR and legal and, in sme cases, cntact with external stakehlders and suppliers. Cnsider the fllwing: Decide n wh shuld take the lead n investigating the breach and ensure they have the apprpriate resurces. Establish wh needs t be made aware f the breach and infrm them f what they are expected t d t assist in the cntainment exercise. This culd be islating r clsing a cmprmised sectin f the netwrk, finding a lst piece f equipment r simply changing the access cdes at the frnt dr. Establish whether there is anything yu can d t recver any lsses and limit the damage the breach can cause. As well as the physical recvery f equipment, this culd invlve the use f back up tapes t restre lst r damaged data r ensuring that staff recgnise when smene tries t use stlen data t access accunts. PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: W: infrights.im E: [email protected] 1

2 Where apprpriate, infrm the plice. 2. Assessing the risks Sme data security breaches will nt lead t risks beynd pssible incnvenience t thse wh need the data t d their jb. An example might be where a laptp is irreparably damaged but its files were backed up and can be recvered, albeit at sme cst t the business. While these types f incidents can still have significant cnsequences the risks are very different frm thse psed by, fr example, the lss f a laptp r prtable media cntaining persnal data which may be used t cmmit identity fraud r cause damage and distress t the individuals cncerned. Befre deciding n what steps are necessary further t immediate cntainment, assess the risks that may be assciated with the breach. Perhaps mst imprtant is an assessment f ptential adverse cnsequences fr individuals, hw serius r substantial these are and hw likely they are t happen. The fllwing pints are als likely t be helpful in making this assessment: What type f data is invlved? Hw sensitive is it? Sme data is sensitive because f its very persnal nature (health recrds) while ther data types are sensitive because f what might happen if it is misused (bank accunt details) If data has been lst r stlen, are there any prtectins in place such as encryptin? What has happened t the data? If data has been stlen it culd be used fr purpses that are harmful t the individuals t whm the data relate; if it has been damaged, this pses a different type and level f risk Regardless f what has happened t the data, what culd the data tell a third party abut the individual? Sensitive data culd mean very little t an pprtunistic thief while the lss f apparently trivial snippets f infrmatin culd help a determined fraudster build up a detailed picture f ther peple Hw many individuals persnal data are affected by the breach? It is nt necessarily the case that the bigger risks will accrue frm the lss f large amunts f data but is a factr in the verall risk assessment Wh are the individuals whse data has been breached? Whether they are staff, custmers, clients r suppliers, fr example, will t sme extent determine the level f risk psed by the breach and, therefre, yur actins in attempting t mitigate thse risks What harm can cme t thse individuals? Are there risks t their physical safety, mental r physical health, scial reputatin, r financial lss r a cmbinatin f these and ther aspects f their life? PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: W: infrights.im E: [email protected] 2

3 Are there wider cnsequences t cnsider such as a risk t public health r lss f public cnfidence, r trust, in an imprtant service yu prvide? If individuals bank details have been lst, cnsider cntacting the banks fr advice n anything they can d t help yu prevent fraudulent use. 3. Ntificatin f breaches Infrming peple and rganisatins that yu have experienced a data security breach can be an imprtant element in yur breach management strategy. Hwever, infrming peple abut a breach is nt an end in itself. Ntificatin shuld have a clear purpse, whether this is t enable individuals wh may have been affected t take steps t prtect themselves r t allw the apprpriate regulatry bdies t perfrm their functins, prvide advice and deal with cmplaints. The fllwing questins may assist rganisatins in deciding whether t ntify individuals: Are there any legal r cntractual requirements? There may be sectr specific rules that lead yu twards issuing a ntificatin. Can ntificatin help the individual? Bearing in mind the ptential effects f the breach, culd individuals act n the infrmatin yu prvide t mitigate risks, fr example by cancelling a credit card r changing a passwrd? If a large number f peple are affected, sensitive persnal data is invlved r there are serius cnsequences, yu shuld infrm the ODPS, althugh there is n legal requirement t d s. Cnsider hw ntificatin can be made in an apprpriate manner fr particular grups f individuals, fr example, if yu are ntifying children r vulnerable adults. Have yu cnsidered the dangers f ver ntifying - nt every incident will warrant ntificatin and ntifying may cause disprprtinate enquiries and wrk. Yu als need t cnsider wh t ntify, what yu are ging t tell them and hw yu are ging t cmmunicate the message. This will depend t a large extent n the nature f the breach but the fllwing pints may be relevant t yur decisin: Make sure yu ntify the apprpriate regulatry bdy. A sectr specific regulatr may require yu t ntify them f any type f breach but the ODPS shuld nly be ntified when the breach invlves persnal data There are a number f different ways t ntify thse affected s cnsider using the mst apprpriate ne. Always bear in mind the security f the medium as well as the urgency f the situatin Yur ntificatin shuld at the very least include a descriptin f hw and when the breach ccurred and what data was invlved When ntifying individuals give specific and clear advice n the steps they can take t prtect themselves and als what yu are willing t d t help them PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: W: infrights.im E: [email protected] 3

4 Prvide a way in which they can cntact yu fr further infrmatin r t ask yu questins abut what has ccurred this culd be a helpline number r a web page, fr example. Yu might als need t cnsider ntifying third parties such as the plice, insurers, prfessinal bdies, bank r credit card cmpanies wh can assist in reducing the risk f financial lss t individuals. At the time f writing (2014) there is n bligatin t advise the ODPS f a data breach. Hwever, many breaches are vluntarily reprted and this can be f benefit t the rganisatin when the ODPS receives cmmunicatins frm individuals wh have been affected by the data breach. A data breach can have a significant impact n the trust and cnfidence f the individuals affected and experience wuld shw that individuals react differently when the ODPS can advise that it has already been made aware f the incident and that is it being dealt with by the rganisatin. When deciding whether t ntify the ODPS f the breach yu shuld cnsider the fllwing: Ptential harm t data subjects This is the verriding cnsideratin in deciding whether a breach shuld be reprted. Harm may be caused in many ways, including: Expsure t identity theft Infrmatin abut the private aspects f a persn s life becming knwn t thers. The extent f harm, which can include distress, is dependent n bth the sensitivity and vlume f the infrmatin. Security f the infrmatin fr example, was the infrmatin secured in any way, such as passwrd prtectin r encryptin. When ntifying the ODPS yu shuld include details f: the type f infrmatin and number f individuals affected the circumstances f the breach details f security measures, plicies and/r prcedures in place at the time actin taken t minimise/mitigate the effect n individuals affected, including whether they have been infrmed hw the breach is being investigated whether any ther regulatry bdy has been infrmed remedial actin t prevent future ccurrences Yu shuld als infrm us if the media are aware f the breach s that we can manage any increase in enquiries frm the public. When infrming the media, it is useful t infrm them whether yu have cntacted the ODPS and what actin is being taken. 4. Evaluatin and respnse It is imprtant nt nly t investigate the causes f the breach but als t evaluate the effectiveness f yur respnse t it. PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: W: infrights.im E: [email protected] 4

5 If the breach was caused, even in part, by systemic and nging prblems, then simply cntaining the breach and cntinuing business as usual is clearly nt acceptable. Similarly, if yur respnse was hampered by inadequate plicies r a lack f a clear allcatin f respnsibility then it is imprtant t review and update these plicies and lines f respnsibility in the light f experience. Yu may find that existing prcedures culd lead t anther breach and yu will need t identify where imprvements can be made. The fllwing pints may assist yu: Make sure yu knw what persnal data is held and where and hw it is stred. Dealing with a data security breach is much easier if yu knw which data are invlved. Establish where the biggest risks lie. Fr example, hw much sensitive persnal data d yu hld? D yu stre data acrss the business r is it cncentrated in ne lcatin? Risks will arise when sharing with r disclsing t thers. Yu shuld make sure nt nly that the methd f transmissin is secure but als that yu nly share r disclse the minimum amunt f data necessary. By ding this, even if a breach ccurs, the risks are reduced. Identify weak pints in yur existing security measures. Fr example, the use f prtable strage devices r access t public netwrks. Mnitr staff awareness f security issues and lk t fill any gaps thrugh training r tailred advice. Cnsider whether yu need t establish a grup f technical and nn-technical staff t discuss what if scenaris This wuld highlight risks and weaknesses as well as giving staff at different levels the pprtunity t suggest slutins. If yur rganisatin already has a Business Cntinuity Plan fr dealing with serius incidents, cnsider implementing a similar plan fr data security breaches. It is recmmended that at the very least yu identify a grup f peple respnsible fr reacting t reprted breaches f security. PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: W: infrights.im E: [email protected] 5

6 PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: W: infrights.im E: [email protected] 6