Data Breach Process

In the event of a data breach being detected, or even suspected, the following guide must be followed.

How are data breaches discovered?

Data breaches are discovered through a number of different channels, for instance:

  • Automated system monitoring – detecting a potential data breach; this is usually reviewed manually prior to action being taken.
  • Whistleblowing by individuals or groups such as staff, customers or suppliers. End users may report breaches to the company, however be aware that issues reported in this way may not be logged as breaches.
  • After details are published by hackers, or when members of the public find IT equipment and report it to news outlets. On occasions, it may be that the breach is in the public domain before the organisation learns of it.

What to do in the event a breach is detected.

Step 1: Determine if Spotler is the Data Controller or Data Processor in regard to the breach

Spotler has a responsibility to respond to data breaches as either a) the data controller or b) the data processor.

An organisation cannot be both data controller and processor for the same data processing activity; it must be one or the other. []

In the event of a data breach of Spotler’s customer data it should not be assumed that Spotler is the data processor as there are scenarios where Spotler can become the data controller in the eyes of the ICO. The main determiner in this is who is making decision on how and what data is to be processed.

The following provides examples where Spotler may be considered the data controller in data breach situation of customer’s data:

  • For a managed service where Spotler have been given a brief by a customer and there is room for discretion by Spotler.
  • Where a breach involves data that has been acquired using Spotler technology where the customer does not determine how or what data is collected.

Where Spotler is determined to be the Data Processor the Data Controller must be informed of the breach without delay. (target of 1 hr maximum of 4 hrs) Where Spotler is determined to be the Data Controller the following process must be followed.

Step 2: Establish Breach Response Team

This group will play an important role in coordinating efforts between the company’s various departments and should include:

  1. Incident Lead
    1. Typically, the data protection officer (DPO). The incident lead will:
      1. Determine when the full response team needs to be activated in response to an incident
      2. Manage and coordinate the company’s overall response efforts and team, including establishing clear ownership of priority tasks
  • Act as an intermediary between C-level executives and other team members to report progress and problems, as well as act as the liaison to external partners
  1. Ensure proper documentation of incident response process and procedures
  1. Executive Leaders
    1. The company’s key decision makers who will help to:
      1. Ensure decisions made by the team have the support of executive management
      2. Have a line of communication to the board of directors and other stakeholders such as investors
    2. Depending on the nature of the breach the following departments may also require involvement:
      1. HR
        1. Since data breaches can affect employees, appointed HR representatives will:
          • Develop internal communications to inform employees and former employees
          • Organize internal meetings for employees to ask questions
        2. IT
          1. IT and security teams will likely lead the way in catching and stopping a data breach, as well as:
            • Identify the top security risks to the organization that should be incorporated into written incident response plans
            • Train personnel in data breach response, including securing the premises, safely taking infected machines offline, and preserving evidence
            • Work with a forensics firm to identify the compromised data and delete hacker tools without compromising evidence and progress
          2. Legal
            1. Legal, privacy, and compliance experts can help minimize the risk of litigation and fines in the wake of a breach. Legal representatives will:
              • Determine how to notify affected individuals, the media, law enforcement, government agencies, and other third parties
              • Establish relationships with any necessary external legal counsel before a breach occurs
              • Be the final sign-off on all written materials related to the incident
            2. PR/Marketing
              1. If you need to report the breach to the media and/or notify affected individuals, your PR representative will:
                • Identify the best notification and crisis management tactics before a breach ever occurs
                • Track and analyze media coverage and quickly respond to any negative press during a breach
                • Craft consumer-facing materials related to an incident (website copy, media statements, etc.)
              2. Customer Care/Account Management
                1. This group will be very important to keep abreast of what is occurring as they will be on the front lines to answer questions and concerns from your customers. They will be responsible for:
                  • Developing or assisting with crafting phone scripts
                  • Logging call volume and top questions and concerns by callers

Step 3: Investigate the Incident

Is the Incident a Personal Data Breach? A personal data breach may involve loss of personal data or the unlawful accessing or processing of personal data. Only if an incident actually resulted in a breach of personal data the mandatory notification obligation applies.

Examples of personal data breach include (but limited to):

  • lost USB sticks
  • stolen laptops
  • malware infections
  • hacked databases containing personal data

A threat or a shortcoming in security measures, such as weak passwords or outdated firewalls, are not considered a personal data breach as long as no personal data has been leaked. Therefore, these issues in security measures do not fall within the mandatory notification obligation.

If an incident is deemed to be a personal data breach then a ‘Data Breach Report’ must be completed. A data breach report template can be found here.

Step 4: Investigate the Scope, Nature and Possible Consequences

For this investigation, the answers to the following questions can be relevant:

  • What is the source of the personal data breach?For instance, is it a stolen device or is it an internal security measure which has been hacked?
  • How many individuals are affected by the personal data breach and is the data breach likely to result in a risk to the rights and freedoms of the individuals affected?For instance, a hack of a customer database could most likely have a severe impact on private lives of many people. On the other hand, a breach concerning only business contact details of one customer may have minimal impact only.
  • Does the personal data compromised include sensitive data?For instance, credit card details, passport numbers or health data.
  • Was the compromised personal data encrypted or secured in a manner which makes it impossible for a third party to assess?For instance, if adequate encryption is used or the data is adequately hashed and salted it can be assumed that third parties will not be able to access the personal data.
  • Which steps are taken to mitigate (further) loss of personal data?For instance, if it is possible to wipe all personal data remotely so that loss of personal data can be prevented or if access to hacked database could be regained, it is possible to mitigate further loss.
  • Which parties are involved in the data breach?For instance, if a shared database is hacked, it cannot be excluded that several parties will be involved and/or affected by the data breach.

Step 5: Investigate Notification Obligation to Supervise Authority

The supervisory authority should be notified by the controller of any personal data breach that results in or is likely to result in ”a risk to the rights and freedoms of natural persons.” This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of an internal telephone list, for example, would not normally meet this threshold.

In this respect, it is relevant to know the answers to the above questions and have an idea of the reasonable consequences the breach may have (for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage). If not yet all information is available, the controller should still notify the supervisory authority. If needed, the notification may be amended at a later stage when the full details are known or the notification could be withdrawn if not needed after all. If notification to the supervisory authority is required Where a notification with the supervisory authority is required, it is recommended first checking if the supervisory authority uses a standard breach notification form. If such form is not available, the notification include at least the following information:

  • the scope and nature of the personal data breach, including the categories and number of data subjects and data records concerned;
  • the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate any possible adverse effects.

Step 6: Investigate Notification Obligation Individuals

Where a personal data breach is likely to result in a ”high risk” to the rights and freedoms of individuals, you must notify those concerned directly. A ”high risk” means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

If affected individuals must be informed, you should provide at least the following information in clear and plain language:

  • the scope and nature of the personal data breach;
  • the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to taken to address the breach including measures to mitigate any possible adverse effects (e.g. contact your credit card provider, change your password, etc.).

Notification to individuals shall not be necessary if the controller can demonstrate that ”appropriate technological protection measures” were applied to the data concerned by the personal data breach, which ”shall render the data unintelligible to any person who is not authorised to access it.’, such as encryption, or if it has subsequently taken measures which ensure that the high risk for the rights and freedoms of data subjects is longer likely to materialise.

If individual notifications would be a disproportionate effort, the controller can use some form of public communication instead provided that this will be equally effective in informing individuals.

Supervisory authorities have the power to overrule controllers and order them to notify the affected individuals if they disagree with a controller’s assessment of the risk.

Step 7: Create and Maintain an Internal Breach Register

Controllers are obliged to document any personal data breaches, which shall at least include information on the facts relating to the personal data breach, the effects of the breach and the efforts and remedial actions taken. It is recommended also documenting any communication with supervisory authorities and affected individuals. Moreover, in the event a decision was made not to notify supervisory authorities and/or affected individuals, it is recommended to keep a record of the facts and the reasons why such decision was made as a supervisory authority may initiate an audit or request for information at any time.

For processors it is recommended keeping an internal breach register, amongst other to demonstrate to (potential) customers the effectiveness of the implemented security measures or the maturity when it comes to handling data breaches.

Step 8: Evaluate the Personal Data Breach and Update Technology and Policies

The new principle of accountability requires controllers to be responsible for and to be able to ”demonstrate” and ”evidence” compliance with the data protection principles, which include security obligations. In view of the accountability requirement, it is recommended documenting what your organisation has done to prevent future personal data breaches originating from the same source as well as regularly reviewing and updating your breach detection, investigation and internal reporting procedures. Moreover, it is recommended regularly reviewing and updating your security measures to and the training provided to employees on data security and handling of personal data breaches

Go to top