A recent study of reported data breaches asked organisations if the breach declared was their first. A whopping 83% said no! Common breach vectors included stolen credentials, phishing attacks and vulnerabilities in third-party software. Even with the most stringent network defences, such attacks are difficult to spot and even harder to eliminate. The average time to identify and contain a breach resulting from stolen or compromised credentials was 11 months! In short, your business would be wise to treat data breaches as an inevitable part of doing business in an increasingly digital economy.
So, how do you get your response to data breaches right?
How you respond to data breaches is critical so let's take a quick look at three different types:
Size matters when it comes to breaches of non-sensitive data. Regulators take a dim view of companies that fail to protect customer data at scale because scammers could use the data to mount large phishing or spam campaigns. Campaigns that target large volumes of data are bound to be successful in some cases.
When data is accidentally shared, it can be possible to contain the breach. If the recipient of the data can confirm they have deleted it within 72 hours of receipt, the company that leaked the data is not required to report it.
If a data breach includes sensitive information, you are required to report it under GDPR and similar frameworks if there is any chance of the data being shared or used to target the victims.
Unimpeachable compliance is the touchstone for perfect breach response management. Regulations are put in place to protect your customers for a reason. And there are positive steps you can take to prepare ahead of a breach incident.
If the worst happens, you should routinely report all breaches of personally identifiable information (PII). In our recent compliance webinar, barrister Chris Kelly explained how regulators are suspicious of organisations disclosing extensive breaches with no prior history of reporting. Regulators could mount an investigation into your data protection practices and subject your business to financial penalties if they discover historic, undisclosed breaches.
A well-defined communications policy will let your customers know what to expect if a breach of sensitive data happens. Scammers will quickly jump on data breaches with phishing campaigns, so public disclosure on your website will help customers understand how the breach affects them and any steps they should take to protect themselves.
GDPR does not compel you to report breaches to victims unless there is a high risk of the data being used to target them. You should, however, bear in mind that the reputation of your business is at stake if there is press coverage of a breach and you haven't told your customers.
It is best practice to keep a register of all near misses for data breaches you weren't required to report. Firstly, if a breach turns out to be more severe than first thought, you will have an audit trail which shows you detected and investigated the incident, i.e. you didn't ignore it or cover it up. Secondly, if regulators decide to investigate your practices for any reason, you will have a recorded history demonstrating how seriously you take data protection.
View our recent webinar with barrister Chris Kelly from Briefed!