Loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, in the event of a personal data breach, controllers must notify the competent supervisory authority, so now is an ideal time to review how the business manages the data, take a stock of the data assets, review the data protection measures including disaster recovery and response activities and ensure it has systems in place to minimise the risk of a data breach in the first place, since the problem of electronic data theft is growing.
Businesses will have to be more publicly accountable for data breaches, and must be far more open with individuals in communications about data breaches, numerous data breaches come from internal sources, whether of malicious or inadvertent origin. Not to mention, although malware, hacking and data theft are usually the first examples of data breaches that come to mind, many breaches are a result of simple human or technical errors rather than malicious intent.
There is often an undesirable lag between the occurrence of an intrusion, discovery of that breach, and revelation of the events to data subjects. Yet, revelation that a breach of security occurred enables data subjects to protect their interests through increased vigilance against identity theft and other types of harm, one track may involve outside counsel (breach response counsel or legal counsel with expertise in incident response) negotiating with the attacker as the single point of contact in an attempt to reduce the ransom to something less than what it will cost to independently recover encrypted data or rebuild a network, also, generally, consumers are informed without delay of the security breach when data is lost or compromised, putting consumers on alert for potential identity theft.
Thefts involving data, data breaches or exposures (including unauthorised access, use, or disclosure) to appropriate individuals; outline the response to a confirmed theft, with a data breach or exposure, based on the type of data involved, understanding which legal remedies may be available and which will have to be most effective is a start.
The most important thing a company can do to reduce the impact of a data breach is to react as swiftly and systematically as possible to mobilize your incident response team, secure systems, and conduct a thorough investigation, a data breach occurs when there is a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integrity of data.
Individual elements of the plan should cover all phases of the incident response, from reporting the breach and the initial response activities to strategies for notification of affected parties, to breach response review and remediation process. In particular, assess the ability of the organization to detect a data breach as soon as possible and respond quickly, update data collection notices, and implement a data breach response policy. Also, relevant contracts may also address data breach, confidentiality, or related requirements.
A data breach response plan outlines the staff members involved in managing a data breach (or suspected data breach), and responsibilities, by responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result, especially an early response to a data security breach is the key to preventing, or minimizing the damage from, identity theft or other potential misuse of personal information.
And also, an entity can reduce the reputational impact of a data breach by effectively minimising the risk of harm to affected individuals, and by demonstrating accountability in data breach response.
Want to check how your Data Breach Response Processes are performing? You don’t know what you don’t know. Find out with our Data Breach Response Self Assessment Toolkit: