It’s the Law! Part 2: Crime and Punishment
The increasing risk and burden of dealing with a data breach
Let’s be honest. When we talk about data breaches - we don’t always think about the end consequences, do we? What could the worst outcome be? Who will be affected by it ? - and how? But once the breach has happened - what then? How do we limit and repair that damage?
Of course we all know that the most severe and perhaps most worrying consequences of poor data governance is a data breach. It’s the kind of stuff that keeps company bosses and data managers awake at night - and understandably so. Organisations can face legal action, huge financial losses, and often irreparable reputational damage and incalculable damage to customers.
In our previous post Stop in the Name of the Data Governance Bureau we explored why robust data governance is paramount and offered up some advice to help prevent you falling foul of the law. In this post, we are going to take a look at what can happen if your data governance protocols fail and you experience a data breach, as well as providing some steps to mitigate the risk and minimise the damage should a breach occur.
What is a data breach and how do they happen?
A data breach refers to a security incident in which sensitive, confidential, or protected information is accessed, stolen, lost, shared, exposed or otherwise compromised by an unauthorised person or entity.
Data breaches can involve various types of information, such as personal identifiable information (PII), financial data, medical records, intellectual property, login credentials, and more.
A breach can occur for a variety of reasons, often resulting from vulnerabilities in technology, human error, or malicious intent. Under the General Data Protection Regulation (GDPR), organisations are legally required to report most types of data breach to the Information Commissioner's Office (ICO) within 72 hours of discovery.
Not all breaches of personal data will meet the reporting threshold and the ICO has a useful self-assessment tool to help you determine this.
Human error: unavoidable?
We often think of breaches as a result of a cyber attack, but more often than not, they happen as a result of human error. The ICO reports that in the final quarter of 2022 (October - December), 75% of incidents reported were non-cyber incidents, a term defined as: “a type of breach that does not have a clear online or technological element which involves a third party with malicious intent. For example, incidents involving paper filing systems or information accidentally emailed to the wrong recipient.”
A recent example widely reported in the UK news is the data breach at Norfolk and Suffolk Police. Through a “technical issue”, the forces released highly sensitive data in response to a number of Freedom of Information (FOI) requests. According to their official press statement, the two police forces inadvertently shared personal identifiable information on victims, witnesses, and suspects, in cases including domestic incidents, sexual offences and hate crimes.
This comes just days after news broke of a separate and extremely serious breach by the Police Service of Northern Ireland, in which the identities and work locations of around 10,000 officers and staff were published online. It was later revealed that the leaked information was obtained by Republican paramilitaries, stirring up fears that they will use the data to threaten and attack officers.
This incident also happened in response to a routine FOI request.
Whilst details of what actually happened have not been released in either case, the chances are that somewhere down the line, someone made a mistake. And as FOI requests along with Subject Access Requests (SARs), are becoming more commonplace and increasingly burdensome for organisations, the probability of human error becomes all the more likely.
Damage limitation
If a data breach occurs in your organisation, the following steps will help you to limit the damage that is caused to your customers and your organisation, financially and reputationally.
Establish the extent of a breach
According to IBM’s ‘Cost of a Data Breach’ report, the average time taken to identify and contain a breach in 2020 was 280 days. It is crucial that you do not add significant time in establishing exactly what data has been breached. SimSage can reveal the severity of a breach in hours, searching across all your different systems to find compromised documents that contain specific types of data, like credit card details. Information like this is vital in those crucial few hours after a breach and allows organisations to understand what types of information have been breached and for how many customers.
Fulfill your legal obligations
Typically you have 72 hours to report a data breach to regulators and/or authorities, in the UK this is the Information Commissioner's Office. To make an accurate report, you will need to find out what personal, confidential, sensitive and financial details are contained within the leaked, lost or hacked documents.
Not all breaches need reporting to the ICO, use their self-assessment tool to help you determine this. In some cases, you will have to notify the data subjects about the breach and advise them of any steps they should take to protect themselves. Clear guidance about when this is necessary can be found on the ICO’s website.
Revisit and reassess your data governance protocols
Once you understand how the data breach occurred and the potential impact, you need to prioritise putting practices in place to ensure that it does not happen again. Revisit your data governance policies to address weaknesses and deliver clear communications and training to all employees around the changes. If the data breach happened as a result of human error when processing an FOI request or a SAR, then you should consider implementing technology to assist in these processes. If you deal in data, you have to ask yourself: Is your business SAR ready? and you need to prepare for it accordingly.
SimSage is not only built to support the efficient response and recovery of a data breach, it can actually help to prevent a breach occurring. Powerful search, workflow and redaction features enable organisations to respond to SARs and FOI requests quickly, sharing only the requested information. A key data governance challenge faced by companies is determining and maintaining their data retention policies and requirements. This is a challenging area for most organisations to keep on top of and is only getting worse as the amount of information they store increases.
But remember - whenever you think about data breaches, you need to think about who the victim is and what the impact is on them. If your organisation deals in data - you are the guardian of very personal information. As that guardian, if you do not take the right steps to protect it, whilst not being the perpetrator of the crime you may find yourself as equally culpable and subject to punishment by law and in the court of public opinion.