Best practice for managing data breaches

Data breaches can range from simply sending an email to the wrong recipient to a business-crippling systems hack. However, regardless of the severity, a robust strategy to respond to any data breach will give your organisation the best chance of surviving it.

Five years on from the Data Protection legislation overhaul, businesses have largely become accustomed to handling data breaches. Overall, the number of incidents are decreasing, but the numbers are still staggering.

Globally in the first quarter of 2023, 41.6m accounts were “leaked” as compared to 80.8m in Q4 of 2022. It is therefore necessary to regularly review and strengthen your organisations Data Protection strategies, and this article identifies the key factors which need to be considered in your Incident Management Plan (IMP). It is crucial that every company handling personal data has a robust IMP now, before a breach occurs. The core purpose of an IMP is to mitigate harm, both to your company and the individuals affected.

A “personal data breach” occurs when there has been a breach of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (s84(4) Data Protection Act 2018).

So, whether you have inadvertently emailed medical records to the wrong “John Smith”; left your laptop containing personnel records unlocked on a train, or your online payment system has been the subject of a ransomware attack, the incident will be considered a data breach.

However, the steps you need to take following a breach depend on the nature of the breach, the nature and volume of the data, and the individuals whose data has been affected.

The IMP, as with any business continuity plan, should include details of who the breach needs to be reported to or who will take the lead in coordinating the response to the incident. The issue may have an impact across the company, so identifying who represents each department is also important, and whether you need to bring in your lawyers.

Once your “response team” is established it will need to implement the IMP and progress through the following five stages:

1. Preliminary assessment – identifying the source and nature of the breach
2. Containment – if the breach is ongoing, secure the system to prevent further loss and seek to recover any data affected from regular back-ups
3. Detailed assessment – establish how the incident occurred, whose data was affected, how sensitive the relevant data is and what other impact the breach has caused
4. Notification – if the breach is serious enough to you must notify the Information Commissioners Office without undue delay and, where feasible, in no more than 72 hours of becoming aware of it (s67 Data Protection Act 2018). You will also need to consider if the individuals affected need to be notified (s68 Data Protection Act 2018)
5. Prevention – once the initial breach has been dealt with, you need to evaluate if your systems can be improved to prevent future similar threats. Consider also if further staff training would mitigate the risk of it happening again.

All personal data breaches, whether they are serious enough to notify the ICO or not, must be recorded (s67(6) Data Protection Act 2018). It is therefore an important part of compliance that you keep an internal record of all data breaches together with your other data protection compliance documents – including also, of course, your IMP. Your data breach record should be a contemporaneous record of any breach, detailing the nature of the breach, its date of discovery and your response to it, including remedial action taken as the full detail of the breach comes to light.

This internal breach is a means of evaluating the seriousness of the risk of harm to data subjects and will help you to decide whether the breach needs to be notified to the ICO and will then serve as evidence to the ICO of your management of breaches.

It would be usual for the internal data breach record to include a number of minor data breaches for any business, as there is a high likelihood of wrongly addressed emails being sent, for example. These may often be relatively low risk breaches arising due to human error. You should be aware, however, that persistent breaches, especially those which could have been corrected after the first occurrence or that are due to inadequate protection of IT systems, are likely to attract the adverse attention of the ICO.