A recent study of reported data breaches asked organisations if the breach declared was their first. A whopping 83% said no! Common breach vectors included stolen credentials, phishing attacks and vulnerabilities in third-party software. Even with the most stringent network defences, such attacks are difficult to spot and even harder to eliminate. The average time to identify and contain a breach resulting from stolen or compromised credentials was 11 months! In short, your business would be wise to treat data breaches as an inevitable part of doing business in an increasingly digital economy.
So, how do you get your response to data breaches right?
When is a data breach a breach?
How you respond to data breaches is critical so let's take a quick look at three different types:
- Breaches of non-sensitive data
- Contained breaches of sensitive data
- Breaches of sensitive data
Size matters when it comes to breaches of non-sensitive data. Regulators take a dim view of companies that fail to protect customer data at scale because scammers could use the data to mount large phishing or spam campaigns. Campaigns that target large volumes of data are bound to be successful in some cases.
When data is accidentally shared, it can be possible to contain the breach. If the recipient of the data can confirm they have deleted it within 72 hours of receipt, the company that leaked the data is not required to report it.
If a data breach includes sensitive information, you are required to report it under GDPR and similar frameworks if there is any chance of the data being shared or used to target the victims.
Unimpeachable compliance is the touchstone for perfect breach response management. Regulations are put in place to protect your customers for a reason. And there are positive steps you can take to prepare ahead of a breach incident.
- Training your staff on data privacy is essential. If your staff are untrained, regulators will maximise financial penalties in the event of a data breach.
- Encrypting data, performing security assessments on new partners and managing access to data on a least-privilege model are also no-brainers.
- Monitoring for exposed data will demonstrate to regulators that your business is serious about data protection. Having your data sold or shared by hackers without your knowledge is a surefire route to a hefty fine.
If the worst happens, you should routinely report all breaches of personally identifiable information (PII). In our recent compliance webinar, barrister Chris Kelly explained how regulators are suspicious of organisations disclosing extensive breaches with no prior history of reporting. Regulators could mount an investigation into your data protection practices and subject your business to financial penalties if they discover historic, undisclosed breaches.
A well-defined communications policy will let your customers know what to expect if a breach of sensitive data happens. Scammers will quickly jump on data breaches with phishing campaigns, so public disclosure on your website will help customers understand how the breach affects them and any steps they should take to protect themselves.
GDPR does not compel you to report breaches to victims unless there is a high risk of the data being used to target them. You should, however, bear in mind that the reputation of your business is at stake if there is press coverage of a breach and you haven't told your customers.
A close shave
It is best practice to keep a register of all near misses for data breaches you weren't required to report. Firstly, if a breach turns out to be more severe than first thought, you will have an audit trail which shows you detected and investigated the incident, i.e. you didn't ignore it or cover it up. Secondly, if regulators decide to investigate your practices for any reason, you will have a recorded history demonstrating how seriously you take data protection.
Want to know more?
View our recent webinar with barrister Chris Kelly from Briefed!