Data Protection Act Data security breach management

Similar documents
Personal Data Security Breach Management Policy

Key Steps for Organizations in Responding to Privacy Breaches

Process for Responding to Privacy Breaches

GUIDANCE FOR BUSINESS ASSOCIATES

DisplayNote Technologies Limited Data Protection Policy July 2014

Data Protection Policy & Procedure

Preventing Identity Theft

Internet and Policy User s Guide

ANTI MONEY LAUNDERING POLICY

HIPAA HITECH ACT Compliance, Review and Training Services

Remote Working (Policy & Procedure)

Draft for consultation

Malpractice and Maladministration Policy

Plus500CY Ltd. Statement on Privacy and Cookie Policy

First Global Data Corp.

Letter of Engagement. as instructed from time to time in respect of your/the company/trusts affairs

Chapter 7 Business Continuity and Risk Management

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

In addition to assisting with the disaster planning process, it is hoped this document will also::

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

Online Learning Portal best practices guide

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

VCU Payment Card Policy

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

Guidance on data security breach management

Information Services Hosting Arrangements

Corporate Standards for data quality and the collation of data for external presentation

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Corporations Q&A. Shareholders Edward R. Alexander, Jr.

There are a number of themed areas for which the Council has responsibility, and each of these is likely to generate debts of a specific type:

Customer Care Policy

COMPREHENSIVE SAFETY ASSESSMENT INSTRUCTIONS for STUDY ABROAD PROGRAMS

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

IMPORTANT INFORMATION ABOUT MEDICAL CARE FOR YOUR WORK-RELATED INJURY OR ILLNESS

Briefing 4 Inquests and the disclosure of information to the coroner

WORKPLACE INJURY/ILLNESS/INCIDENT INVESTIGATION & REPORTING POLICY (BC VERSION)

Change Management Process

Disk Redundancy (RAID)

An employer s Guide to engaging an occupational health physician

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

B Bard Video Games - Cnflict F interest

Guidance on data security breach management

ensure that all users understand how mobile phones supplied by the council should and should not be used.

PADUA COLLEGE LIMITED ACN ABN

CSUSB Containment Guidelines CSUSB, Information Security Office

Privacy Breach and Complaint Protocol

Travel Insurance. Is your insurance company listening to you? Handbook on

Army DCIPS Employee Self-Report of Accomplishments Overview Revised July 2012

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

How much life insurance do I need? Wrong question!

Privacy and Security Training Policy (PS.Pol.051)

CROPREDY SURGERY Dr J Wright & Dr B Tucker

Health and Safety Training and Supervision

IN-HOUSE OR OUTSOURCED BILLING

Consumer Complaint Roadmap

Business Plan

nbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.

esupport Quick Start Guide

Heythrop College Disciplinary Procedure for Support Staff

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

Professional indemnity insurance arrangements for enrolled nurses, registered nurses and nurse practitioners

How To Ensure Your Health Care Is Safe

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Backups and Backup Strategies

CORPORATE CREDIT CARD POLICY

CONTENTS UNDERSTANDING PPACA. Implications of PPACA Relative to Student Athletes. Institution Level Discussion/Decisions.

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

How To Deal With A Data Breach In The European Law

Internet and Social Media Solicitations: Wise Giving Tips

State Fleet Card Oversight Usage and Responsibilities

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Calling from a Cell Phone

Equal Pay Audit 2014 Summary

The Importance of Market Research

Credit Work Group Recommendation

KIK s GUIDE FOR LAW ENFORCEMENT

How Checking Accounts Work

Transcription:

Data Prtectin Act Data security breach management The seventh data prtectin principle requires that rganisatins prcessing persnal data take apprpriate measures against unauthrised r unlawful prcessing and against accidental lss, destructin f r damage t persnal data. One f thse measures shuld be the adptin f a plicy n dealing with a data security breach. This guidance nte sets ut sme f the things an rganisatin needs t cnsider in the event f a data security breach. This nte is nt intended as legal advice, nr is it a cmprehensive guide t infrmatin security. It shuld, hwever, assist rganisatins in deciding n an apprpriate curse f actin if a breach ccurs. A data security breach can happen fr a number f reasns: Lss r theft f data r equipment n which data is stred Inapprpriate access cntrls allwing unauthrised use Equipment failure Human errr Unfreseen circumstances such as a fire r fld Hacking attack Blagging ffences where infrmatin is btained by deceiving the rganisatin wh hlds it Hwever the breach ccurred there are fur imprtant elements t any breach management plan: 1. Cntainment and recvery 2. Assessment f nging risk 3. Ntificatin f breach 4. Evaluatin and respnse 1. Cntainment and recvery Data security breaches will require nt just an initial respnse t investigate and cntain the situatin but als a recvery plan including, where necessary, damage limitatin. This will ften invlve input frm specialists acrss the business such as IT, HR and legal and, in sme cases, cntact with external stakehlders and suppliers. Cnsider the fllwing: Decide n wh shuld take the lead n investigating the breach and ensure they have the apprpriate resurces. Establish wh needs t be made aware f the breach and infrm them f what they are expected t d t assist in the cntainment exercise. This culd be islating r clsing a cmprmised sectin f the netwrk, finding a lst piece f equipment r simply changing the access cdes at the frnt dr. Establish whether there is anything yu can d t recver any lsses and limit the damage the breach can cause. As well as the physical recvery f equipment, this culd invlve the use f back up tapes t restre lst r damaged data r ensuring that staff recgnise when smene tries t use stlen data t access accunts. PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: +44 1624 693260 W: infrights.im E: ask@infrights.im 1

Where apprpriate, infrm the plice. 2. Assessing the risks Sme data security breaches will nt lead t risks beynd pssible incnvenience t thse wh need the data t d their jb. An example might be where a laptp is irreparably damaged but its files were backed up and can be recvered, albeit at sme cst t the business. While these types f incidents can still have significant cnsequences the risks are very different frm thse psed by, fr example, the lss f a laptp r prtable media cntaining persnal data which may be used t cmmit identity fraud r cause damage and distress t the individuals cncerned. Befre deciding n what steps are necessary further t immediate cntainment, assess the risks that may be assciated with the breach. Perhaps mst imprtant is an assessment f ptential adverse cnsequences fr individuals, hw serius r substantial these are and hw likely they are t happen. The fllwing pints are als likely t be helpful in making this assessment: What type f data is invlved? Hw sensitive is it? Sme data is sensitive because f its very persnal nature (health recrds) while ther data types are sensitive because f what might happen if it is misused (bank accunt details) If data has been lst r stlen, are there any prtectins in place such as encryptin? What has happened t the data? If data has been stlen it culd be used fr purpses that are harmful t the individuals t whm the data relate; if it has been damaged, this pses a different type and level f risk Regardless f what has happened t the data, what culd the data tell a third party abut the individual? Sensitive data culd mean very little t an pprtunistic thief while the lss f apparently trivial snippets f infrmatin culd help a determined fraudster build up a detailed picture f ther peple Hw many individuals persnal data are affected by the breach? It is nt necessarily the case that the bigger risks will accrue frm the lss f large amunts f data but is a factr in the verall risk assessment Wh are the individuals whse data has been breached? Whether they are staff, custmers, clients r suppliers, fr example, will t sme extent determine the level f risk psed by the breach and, therefre, yur actins in attempting t mitigate thse risks What harm can cme t thse individuals? Are there risks t their physical safety, mental r physical health, scial reputatin, r financial lss r a cmbinatin f these and ther aspects f their life? PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: +44 1624 693260 W: infrights.im E: ask@infrights.im 2

Are there wider cnsequences t cnsider such as a risk t public health r lss f public cnfidence, r trust, in an imprtant service yu prvide? If individuals bank details have been lst, cnsider cntacting the banks fr advice n anything they can d t help yu prevent fraudulent use. 3. Ntificatin f breaches Infrming peple and rganisatins that yu have experienced a data security breach can be an imprtant element in yur breach management strategy. Hwever, infrming peple abut a breach is nt an end in itself. Ntificatin shuld have a clear purpse, whether this is t enable individuals wh may have been affected t take steps t prtect themselves r t allw the apprpriate regulatry bdies t perfrm their functins, prvide advice and deal with cmplaints. The fllwing questins may assist rganisatins in deciding whether t ntify individuals: Are there any legal r cntractual requirements? There may be sectr specific rules that lead yu twards issuing a ntificatin. Can ntificatin help the individual? Bearing in mind the ptential effects f the breach, culd individuals act n the infrmatin yu prvide t mitigate risks, fr example by cancelling a credit card r changing a passwrd? If a large number f peple are affected, sensitive persnal data is invlved r there are serius cnsequences, yu shuld infrm the ODPS, althugh there is n legal requirement t d s. Cnsider hw ntificatin can be made in an apprpriate manner fr particular grups f individuals, fr example, if yu are ntifying children r vulnerable adults. Have yu cnsidered the dangers f ver ntifying - nt every incident will warrant ntificatin and ntifying may cause disprprtinate enquiries and wrk. Yu als need t cnsider wh t ntify, what yu are ging t tell them and hw yu are ging t cmmunicate the message. This will depend t a large extent n the nature f the breach but the fllwing pints may be relevant t yur decisin: Make sure yu ntify the apprpriate regulatry bdy. A sectr specific regulatr may require yu t ntify them f any type f breach but the ODPS shuld nly be ntified when the breach invlves persnal data There are a number f different ways t ntify thse affected s cnsider using the mst apprpriate ne. Always bear in mind the security f the medium as well as the urgency f the situatin Yur ntificatin shuld at the very least include a descriptin f hw and when the breach ccurred and what data was invlved When ntifying individuals give specific and clear advice n the steps they can take t prtect themselves and als what yu are willing t d t help them PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: +44 1624 693260 W: infrights.im E: ask@infrights.im 3

Prvide a way in which they can cntact yu fr further infrmatin r t ask yu questins abut what has ccurred this culd be a helpline number r a web page, fr example. Yu might als need t cnsider ntifying third parties such as the plice, insurers, prfessinal bdies, bank r credit card cmpanies wh can assist in reducing the risk f financial lss t individuals. At the time f writing (2014) there is n bligatin t advise the ODPS f a data breach. Hwever, many breaches are vluntarily reprted and this can be f benefit t the rganisatin when the ODPS receives cmmunicatins frm individuals wh have been affected by the data breach. A data breach can have a significant impact n the trust and cnfidence f the individuals affected and experience wuld shw that individuals react differently when the ODPS can advise that it has already been made aware f the incident and that is it being dealt with by the rganisatin. When deciding whether t ntify the ODPS f the breach yu shuld cnsider the fllwing: Ptential harm t data subjects This is the verriding cnsideratin in deciding whether a breach shuld be reprted. Harm may be caused in many ways, including: Expsure t identity theft Infrmatin abut the private aspects f a persn s life becming knwn t thers. The extent f harm, which can include distress, is dependent n bth the sensitivity and vlume f the infrmatin. Security f the infrmatin fr example, was the infrmatin secured in any way, such as passwrd prtectin r encryptin. When ntifying the ODPS yu shuld include details f: the type f infrmatin and number f individuals affected the circumstances f the breach details f security measures, plicies and/r prcedures in place at the time actin taken t minimise/mitigate the effect n individuals affected, including whether they have been infrmed hw the breach is being investigated whether any ther regulatry bdy has been infrmed remedial actin t prevent future ccurrences Yu shuld als infrm us if the media are aware f the breach s that we can manage any increase in enquiries frm the public. When infrming the media, it is useful t infrm them whether yu have cntacted the ODPS and what actin is being taken. 4. Evaluatin and respnse It is imprtant nt nly t investigate the causes f the breach but als t evaluate the effectiveness f yur respnse t it. PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: +44 1624 693260 W: infrights.im E: ask@infrights.im 4

If the breach was caused, even in part, by systemic and nging prblems, then simply cntaining the breach and cntinuing business as usual is clearly nt acceptable. Similarly, if yur respnse was hampered by inadequate plicies r a lack f a clear allcatin f respnsibility then it is imprtant t review and update these plicies and lines f respnsibility in the light f experience. Yu may find that existing prcedures culd lead t anther breach and yu will need t identify where imprvements can be made. The fllwing pints may assist yu: Make sure yu knw what persnal data is held and where and hw it is stred. Dealing with a data security breach is much easier if yu knw which data are invlved. Establish where the biggest risks lie. Fr example, hw much sensitive persnal data d yu hld? D yu stre data acrss the business r is it cncentrated in ne lcatin? Risks will arise when sharing with r disclsing t thers. Yu shuld make sure nt nly that the methd f transmissin is secure but als that yu nly share r disclse the minimum amunt f data necessary. By ding this, even if a breach ccurs, the risks are reduced. Identify weak pints in yur existing security measures. Fr example, the use f prtable strage devices r access t public netwrks. Mnitr staff awareness f security issues and lk t fill any gaps thrugh training r tailred advice. Cnsider whether yu need t establish a grup f technical and nn-technical staff t discuss what if scenaris This wuld highlight risks and weaknesses as well as giving staff at different levels the pprtunity t suggest slutins. If yur rganisatin already has a Business Cntinuity Plan fr dealing with serius incidents, cnsider implementing a similar plan fr data security breaches. It is recmmended that at the very least yu identify a grup f peple respnsible fr reacting t reprted breaches f security. PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: +44 1624 693260 W: infrights.im E: ask@infrights.im 5

PO Bx 69, Duglas, Isle f Man, IM99 1EQ T: +44 1624 693260 W: infrights.im E: ask@infrights.im 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information