When hackers targeted the popular file transfer software MOVEit last month, they left a trail of destruction in their wake. Thousands of global companies such as the BBC, British Airways, Boots and Aer Lingus were all caught up in the cyber incident that exposed employee personal data to hackers, including bank and contact details.
Data breaches aren’t rare. Research from IBM estimates the UK suffers more cyber attacks than any other European country. In 2022 the country accounted for 43% of attacks recorded in Europe over 12 months, far ahead of Germany’s 14% and France’s 7%. Nordlocker similarly found UK businesses suffer the third highest rate of ransomware attacks in the world, beaten only by the US and Canada.
The consequences of cyber attacks and data breaches can be grave. There’s not only the cost of putting the incident right but there could also be substantial fines levied by the regulator. Then there’s the reputational damage – a third of businesses have lost customers after a breach and four in 10 customers say they won’t return to a business after a security issue.
You need a data breach response plan
Some of those risks can be mitigated by having a solid data breach response plan in place in advance. Here’s what to include:
Step 1 – Plan a response
Before writing a plan, conduct a risk assessment to categorise what constitutes a breach, what information might be affected, and the scenarios that would activate the data breach response plan. Identify who will be included in the response team, their roles and contact details. You might want to also create a communications plan with prepared statements for customers, staff and the media, and agree timings around when these should be released in a hypothetical scenario.
Step 2 – Identify the breach
Data breaches must be dealt with on a case-by-case basis but if the team suspects a breach has happened, it’s important to record the circumstances. Note down the time and date the breach was discovered, the type of personal information involved, the cause and extent of the breach and any additional information about the breach itself or wider context.
Step 3 – Alert the Data Protection Officer (DPO) or other representative
Not every organisation will have a DPO but for those that do, they should be alerted to a potential breach at the first opportunity. For other businesses, the action plan should serve as a reminder of who to contact when a breach happens. They will ascertain whether or not a breach has occurred and help to coordinate any immediate action required to limit the damage. They will also assess whether or not the regulator and/or affected individuals need to be notified.
Step 4 – Notify the regulator
Under the UK GDPR, a data breach must be reported to the relevant supervisory authority if it poses a risk to the rights and freedoms of individuals. The ICO has a helpful self-assessment tool for businesses to determine whether or not a breach needs to be reported. If it does, this must be done within 72 hours and can be made in phases as more information becomes available. You should include the name and contact details of the data protection officer (if your organisation has one) or other point of contact, and descriptions of the nature of the personal data breaches, the likely consequences, and description of the measures taken (or proposed measures to be taken).
Step 5 – Notify affected individuals
This must be done if the breach is likely to result in a high risk to the rights and freedoms of individuals. This would be the case if hackers have accessed personal information that puts individuals at risk of discrimination, physical harm, identity theft, financial loss or damage to reputation. Organisations should communicate to each person individually (eg by email), and also inform individuals of the steps they should take to protect themselves or minimise the fall out from the breach (eg cancel credit cards). Customers are likely to be upset – you might want to consider opening up a customer service line for their questions or complaints about the breach so they feel their feedback is being taken on board.
Step 6 – Take action
One of the most important steps in a data breach action plan is the analysis that happens after a breach. How did the breach occur and how can you prevent it from happening again? Do staff need more training? Are there technology vulnerabilities that need to be resolved? Can personal data be kept separate from other data to minimise the harm if a breach happens again in the future? And are your processors contractually obliged to notify you immediately if they experience a breach?
Step 7 – Continue to assess
A breach which a business decides does not need to be notified may later become notifiable if the risk level increases. IBM estimates the average data breach lifecycle can take as long as 315 days, so a lot can change over that time. It’s also important to keep a detailed log of all activities at every step of the way, including why and how decisions were made whether (or not) to inform the regulator and/or customers. All data breaches should be taken seriously and learned from to prevent something similar from happening again.