UK Data Risks Incident RoadMap



Similar documents
THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

Guidance on data security breach management

Procedure for Managing a Privacy Breach

Guidance on data security breach management

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Privacy and Electronic Communications Regulations

Corporate ICT & Data Management. Data Protection Policy

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Notification of data security breaches to the Information Commissioner s

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

The potential legal consequences of a personal data breach

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Data Security Breach Incident Management Policy

Cyber and data Policy wording

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Data Protection Policy

PRIVACY BREACH MANAGEMENT POLICY

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Merthyr Tydfil County Borough Council. Data Protection Policy

Human Resources and Data Protection

Mitigating and managing cyber risk: ten issues to consider

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Data Protection Policy

Schedule 13 - NHS Counter Fraud and Security

Human Resources Policy documents. Data Protection Policy

Who s next after TalkTalk?

FINAL NOTICE Nationwide has confirmed that it will not be referring the matter to the Financial Services and Markets Tribunal.

Helpful Tips. Privacy Breach Guidelines. September 2010

DATA PROTECTION CORPORATE POLICY

The Legal Pitfalls of Failing to Develop Secure Cloud Services

technical factsheet 176

So the security measures you put in place should seek to ensure that:

Data Protection Breach Management Policy

Third Party Security Requirements Policy

DATA PROTECTION POLICY

Data Protection Policy

A Best Practice Guide

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Data Security and Extranet

Data Security Incident Response Plan. [Insert Organization Name]

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Data Protection Breach Reporting Procedure

FINAL May Guideline on Security Systems for Safeguarding Customer Information

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

Protection of Privacy

DATA PROTECTION POLICY

Anti-Bribery and Corruption Policy

Somerset County Council - Data Protection Policy - Final

Caedmon College Whitby

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

005ASubmission to the Serious Data Breach Notification Consultation

Information Security: Business Assurance Guidelines

HERTSMERE BOROUGH COUNCIL

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

Data Protection Act. Conducting privacy impact assessments code of practice

Data Protection Policy

Data Protection Act Guidance on the use of cloud computing

White Paper on Financial Institution Vendor Management

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Council, 14 May Information Governance Report. Introduction

Cloud Software Services for Schools

DATA PROTECTION POLICY

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

An overview of UK data protection law

Security Incident Management Policy

Data Protection in Ireland

Policy Document Control Page

Little Marlow Parish Council Registration Number for ICO Z

Theft, Fraud & Dishonest Employees. An Employee Fraud Case Study. Presented by Jon Coley, Partner, Employment

Data Protection Act Monetary Penalty Notice. Dated: 20 February 2015

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

Article 29 Working Party Issues Opinion on Cloud Computing

ADELAIDE BRIGHTON LIMITED ACN

Transcription:

Data breach summary steps Hiscox s data breach Experts

Knowing what to do in the event of a data breach ( security incident ) can make the situation much less daunting when it may seem like your house is falling down around you. As part of your Hiscox Data Risks policy, we have produced this UK Incident RoadMap. It can sit alongside your own more detailed Incident Response Plan and help your Incident Response Team manage a security incident. This Incident RoadMap could also be used as a basis for your Incident Response Plan, as a training aid or as a practical guide. Note, however, that this is a broad guidance checklist and is not intended to provide legal advice. The circumstances of any security incident can vary widely and specific advice should be sought in particular cases. It is important that you consider early on what external advice is required and whether any of the following actions will need to run simultaneously. IMPORTANT: Complying with the guidance in this note does not remove your need to notify Hiscox. You should check the wording of your policy to ensure that any obligations are complied with. With a growing number of security incidents, it is good practice to prepare and adopt an Incident Response Plan in advance of it being required to enable you to quickly contact your core team i.e. the lead identified in the Incident Response Team - and move into action immediately once you are made aware of problems. In these cases speed can be of the essence. The Information Commissioner has the power to impose financial penalties on an organisation if satisfied that there has been a serious breach of one or more of the data protection principles by the organisation and the breach was likely to cause substantial damage or distress. The possibility of a penalty can be exacerbated by a failure to handle a breach properly. One of the first steps to take when you suspect a security incident is to notify the Incident Response Team and all staff should know how to do so. The core team should consist of employees from a number of departments across the organisation, for example legal, IT Security, audit, finance, HR and public relations. It is important to appoint one person as the leader of the Incident Response Team and that person should be responsible for managing any communications to people outside this core team. In most cases, the Incident Response Team will not only involve your local Hiscox Data Risks Expert, but also our specialist partners, which may include IT forensics, legal experts, public relations, call centre, notification and credit protection service providers.

Actions 1. Decide on who should take the lead on dealing with the security incident; ensuring they have the authority and, if necessary, budget, to employ the appropriate resources. Ensure that the lead informs one person from the senior management team (CEO, COO, CIO etc.) about the security incident. 2. Establish who within the organisation and externally beyond your Incident Response Team needs to be made aware of the security incident and inform them of what they are expected to do to assist. Advise team members and others to observe confidentiality until you have made any disclosure decision. 3. Assess whether your organisation acts as a data controller or a data processor? If you are the data processor, the relevant data controller should be notified about the security incident. The onus will be on the data controller to determine the response to the security incident. It is possible that there could be multiple data processors and data controllers. 4. Ensure that every person provided with information about the security incident understands the need for confidentiality. 5. Do not broadcast the problem until the situation and the relevant factors are established. In particular, beware of tipping off anyone who might be able to take advantage of weaknesses in systems. 6. Consider whether either in-house or external expertise is required. Remember that inhouse legal advice will not be protected by legal professional privilege. 7. Task the security / IT support team to provide an immediate response to assess the best way to rectify the security incident and, if the security incident poses a continuing risk, ensure that this is done as a matter of urgency. The security / IT team should also be tasked to investigate the cause of the identified weakness, limit the damage and recover lost data if possible. When possible, retain, isolate, and make back-ups of the systems and information affected by the security incident. The investigation and remedial action will be fact specific and the project may have to be done in stages. Set timelines for reports, and ensure all issues / considerations / actions are appropriately recorded. 8. Throughout the process ensure that all investigations are properly documented and could be made available for subsequent review or audit. Risk assessment 1. Assess your contractual obligations and liabilities if you are a data processor and if you are the data controller, what contractual obligations and liability any data processors may have in connection with the security incident. 2. Carry out an initial risk assessment which can be added to as the IT / security reports become available. In doing so have regard to the guidance from the Information Commissioner's Office and any other regulatory guidance. Consider: a. What type of information is involved? Is it commercial or personal? b. What can happen to the information? How could it be used to a detrimental effect? What actions could be taken to deal with those effects? c. How many individuals' personal data are affected by the security incident? d. If data has been lost or stolen, are there any safeguards in place such as encryption? e. Is it a 'serious breach' in terms of the DPA? For serious breaches of the DPA, the Commissioner, in addition to its other powers under the DPA, can impose monetary penalties of up to 500,000. A serious breach will include where the data controller either: i. deliberately contravened the Data Protection Act; or ii. knew or ought to have known that there was a risk the contravention would occur, and that it would be likely to cause substantial damage or distress, but still failed to take reasonable steps to prevent it from happening.

Notification 1. Consider whether you have obligations to notify the security incident and who might need to be notified. Those you may need to notify might be regulators, commercial partners, joint controllers, individual shareholders, customers or third parties such as the police, insurers or trade unions. List all and note your decision. In particular consider: a. Have there been any criminal activities and, if so, have the police been notified? b. Are you subject to FSA or PCI DSS obligations? c. Are you a provider of telecommunications that has to comply with the Privacy and Electronic Communications Regulations? d. Do you have contractual obligations to any party? e. Do you have common law obligations to any party? For example, has any confidential information been disclosed? f. Do you have sector or other policy obligations to notify the ICO? g. Do you consider you should voluntarily notify the ICO? h. Consider notifying other stakeholders. 2. If you are notifying individuals, consider whether you would need to notify the ICO. 3. Ensure that if notification is chosen the material submitted to regulators meets the requirements stated in any guidance. 4. Consider how notification can be made appropriate for particular groups of individuals. If you are notifying a commercial partner can you agree on confidentiality? Control of communications 1. If the security incident is going to become public consider how you handle the PR and ensure that all public interfaces are appropriately managed. 2. If you are notifying individuals consider having a press statement ready before you do so. You may also need to set up a call centre to deal with queries, giving the staff preprepared scripts to handle frequently asked questions. Evaluation 1. Report upwards in the organisation in an appropriate manner and ensure all decisions are signed-off at an appropriate level. 2. Review any HR implications, for example if the weakness was caused by failure by staff to meet company security or IT use standards. 3. Ensure that the remedial action deals with both putting any weakness right and closing any loopholes in the processes and systems. This may including updating existing policies to reflect lessons learned from the security incident. 4. Consider whether staff issues are involved or disciplinary matters arise. 5. Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice. 6. Evaluate the performance of the Incident Response Team in dealing with the security incident.

Hiscox s Expert Partners In the unlikely event that you are unable to reach the Hiscox Data Risks Team, you may wish to contact a legal, forensic or PR expert for initial advice. In this instance, you can contact any of the below firms. Law Firms Pinsent Masons Pinsent Masons Cyber and Data Breach Email: breach@pinsentmasons.com Contact 1: Marc Dautlich Email: Marc.dautlich@pinsentmasons.com Office: +44 20 7490 6533 Mobile: +44 7984 405672 Contact 2: Email: ian.birdsey@pinsentmasons.com Office: +44 20 7490 6446 Mobile: +44 7584 385496 Wragge Lawrence Graham & Co Contact 1: Kirsten Whitfield Email: kirsten.whitfield@wragge-law.com Office: +44 121 685 2705 Mobile: +44 7921 881345 Contact 2: Patrick Arben Email: patrick.arben@wragge-law.com Office: +44 121 393 0011 Mobile: +44 7921 881438 IT Forensics KPMG Contact 1: Darren Pauling Email: darren.pauling@kpmg.co.uk Office: +44 20 7694 5565 Mobile: +44 7920 587305 Contact 2: Aaron Stowell Email: Aaron.stowell@kpmg.co.uk Office: +44 20 7311 8304 Mobile: +44 7917 093571 Stroz Friedberg Contact 1: Seth Berman Email: sberman@strozfriedberg.co.uk

Office: +44 20 7061 2300 Mobile: +44 7590 808353 Contact 2: Spencer Lynch Email: slynch@strozfriedberg.co.uk Office: +44 20 7061 2304 Mobile: +44 7538 468636 PR Hill & Knowlton Contact 1: Giles Read Email: giles.read@hkstrategies.com Office: +44 20 7413 3789 Mobile: +44 7717 483722 Contact 2: Tim Luckett Email: tim.luckett@hkstrategies.com Office: +44 20 7973 4443 Mobile: +44 7976 693134 Reminder: This document is a broad guidance checklist and is not intended to provide legal advice.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information