Data Breach: What to Do When You’re Attacked
It's critical, in this data-soaked world, to keep your data secure. Confidential delegate or employee details, such as names, addresses and even biometric details, need to be under lock and key - with access granted only to those who really need it. Whether you're using spreadsheets or dedicated software for training companies, the rules around the data you hold on delegates, and how you use it, are about to change.
The upcoming introduction of the new General Data Protection Regulations also alter your responsibilities when hit by a data breach, so it's vital that you know when you've been attacked, and how you should properly respond.
|Discover what GDPR means for your commercial training business in our free eBook|
What is a data breach?
Many people believe that a data breach simply means personal information has been lost or stolen. However, there's a lot more to it than that. According to the Information Commissioner's Office, a data breach is:
'A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.'
The breach may be an accident, or you may have been hit by one of the thousands of cyber-attacks that occur every hour in the UK - either way, you need to be aware that, once GDPR goes live on May 25th, 2018, the rules around reporting data breaches are going to change.
What should you do after a data breach?
Once you're aware of a potential data breach, don't panic. Initially, you need to...
1. Find out what data has been breached
As soon as you know you've experienced a data breach, gather your IT team. You'll need to ascertain what has been breached, and how the event occurred. That way, you can determine the appropriate response - all data your training company holds is likely personal information, but there's a world of difference between accidentally releasing a private email address and experiencing a hack that culls your entire customer list. In addition to this, you'll want to consider how the breach may affect your operations
2. Increase your security
Depending on the severity of the breach, you may end up simply changing internal passwords or re-installing your software. In the case of accidental data breaches, it's worth re-examining your current processes and altering them accordingly. This will enable you to limit the impact of future breaches. Bring in encrypted technology if necessary, for an additional layer of protection - especially to protect financial data your training organisation holds, such as credit card numbers and bank account details. Depending on your current processes, two-step authentication may also be advisable, to double-up on existing security.
3. Tell those affected
If you haven't already informed all staff as to what a data breach is and how to detect it, start now - before a breach occurs. Every employee needs to know just how important this is.
Communicate the breach to those impacted. In the event of an internal data breach, let all your staff know what's happened. Dedicated IT teams will want to assess the damage done and the repairs necessary, while other members of staff may need to take certain steps to increase security or change the way they currently work.
In the case of serious external breaches, where a security compromise is considered a 'high risk' to the rights and freedoms of individuals, you must directly inform delegates. Do so quickly and honestly. Apologise (even if it's not your fault). If there's a possibility that passwords have been lost or stolen, advise your delegates to change them as soon as they can. If the issue is more serious - stolen bank details, for instance, or names and dates of birth, which can facilitate identity theft - you'll need to work alongside the police to inform and investigate.
In certain cases, you'll need to..
4. Report the data breach
Once GDPR is rolled out, it may not always be necessary to report your data breach. Certain 'low risk' breaches are not subject to this - the ICO state that 'the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.' But, wherever there is any sort of risk to an individual's rights and freedoms, you must notify the relevant authorities.
Once you discover a breach, a report must be filed with the ICO within 72 hours. Even if you do not have the full facts to hand, you'll still have to notify them of what happened and what you do know. You'll then be able to file a follow-up report once you're in possession of more details.
Your initial breach notification must contain the following:
- The name of your data protection officer (or general point of contact, if you don't have one)
- What sort of data breach you've experienced
- Who and how many are affected
- What sort of impact the breach will have for you and those affected
- What steps were taken to prevent a data breach, and what actions will be taken in future
If your training organisation doesn't inform the ICO of a data breach or inadequately furnishes them with the appropriate details, you may find yourself subject to a crippling fine of around £9 million or 2% of your company's global turnover - whichever is the greater amount. That's a best-case scenario for poor data processing. If the breach seriously threatens an individual's rights and freedoms, that fine doubles to £17 million or 4% of global turnover. The ICO will also strip the worst offenders of data-processing rights, effectively banning them from collecting or using data.
And don't forget to back-up
It's so easy to forget, especially when you're busy, but backing up all important data is absolutely necessary.
Without a back-up, if you lose data in a breach, you may be unable to access it again. It could spell disaster for your business if you can't see which delegates are booked onto which courses, for instance, or the contact details and availability of trainers.
If you haven't already, you need to create both online and offline back-ups of all sensitive data you hold. Provided these back-ups are secure, this will help you reinstate any information lost after a breach.
GDPR regulations come into effect on May 25th, 2018 but it's worth understanding the new rules, your responsibilities and your delegates' rights today (download your free eBook here). That way, you'll have plenty of time to start preparing the necessary changes to the way your training company processes data and keep it secure.