Organisations must protect data and respond quickly and transparently during a data breach. However, despite their relentless efforts, data breaches remain a persistent and formidable threat. But, the good thing is that data breach reporting plays a crucial role in data protection.
How quickly should a data breach be reported when it occurs?
A slow response to data breaches results in loss of customer trust, fines from government entities, time spent on the breach rather than business operations, and much more.
What Is a Personal Data Breach?
The General Data Protection Regulation (GDPR), under Article 4, defines a personal data breach as any incident that results in the unauthorised disclosure of, accidental or unlawful destruction, alteration, loss, or access to personal data transmitted, processed, or otherwise stored.
We can define a data breach as a security incident in which information is accessed without authorisation. Personal data breaches can take place in many circumstances, but they often involve the loss or breach of sensitive personal information that puts the affected individuals at risk of harm or other adverse consequences.
The common perception of a data breach is that it involves hostile hackers scouring the internet for sensitive data. That’s sometimes the case, but breaches often result from human error or internal mishandling.
Personal data breaches may include:
- Accidental or deliberate action by a controller or processor
- Unauthorised third-party access
- Unauthorised alteration of personal data
- Devices stolen or lost that have personal data
- Sending personal data to the wrong recipient
How Quickly Should a Data Breach Be Reported?
The UK General Data Protection Regulation requires all businesses to report personal data breaches to the Information Commissioner’s Office (ICO) within no more than 72 hours of being aware of the breach. The GDPR’s Article 33, titled “Notification of a Personal Data Breach to the Supervisory Authority,” outlines the proper data breach procedure in detail.
If a data processor finds a breach, the data controller must be notified without undue delay.
The notification to the relevant supervisory authority must contain several specific details, including:
- The nature of the data breach, categories of data, number of personal data records, and number of individuals affected
- Possible consequences of the breach
- Contact information for the company’s data protection officer or another contact point
- How the controller plans to deal with the breach and stop the risk to data subjects
Organisations that don’t manage to report a data breach within the required 72 hours can explain their reasons for the delay, although they might still be fined or penalised.
Factors to Consider When Deciding Whether to Notify the ICO
When deciding whether to notify the Information Commissioner’s Office (ICO) about certain personal data breaches, organisations should consider several factors to determine the significance and possible impact of the breach.
1. The Severity
Determine the severity of the data breach. Consider how damaging the breach may be to your organisation, affected individuals, and the wider public. A severe data breach is more likely to require notification.
2. Potential Consequences
Consider the potential consequences of the data breach for affected individuals. This involves the risks of reputational damage, financial loss, identity theft, or other adverse outcomes.
3. Type of Breach
Determine the type of breach. Is it a data loss, a data theft, a data disclosure, or unauthorised access? Different breaches may have varying levels of risk and impact.
4. Sensitivity of Data
Consider the nature of the compromised data. Data related to financial records, medical information, and other sensitive personal information are more likely to trigger notification requirements.
5. Special Characteristics of Individuals
Consider any unique characteristics of the individuals whose data was breached. For example, if the data belongs to vulnerable individuals or children, the breach may be more significant and require notification.
Determine how easy it is to identify individuals from the breached data. If the breach makes it relatively easy to identify specific individuals, the possibility of notification may increase.
7. Internal Policies and Procedures
Consider your organisation’s internal data breach policies and procedures. Some organisations may have internal policies that dictate when and how to report data breaches.
8. Legal and Regulatory Requirements
Keep any regulatory or legal requirements in your jurisdiction in mind. Some data protection laws require notification to the affected individuals or the ICO in certain cases.
9. Consultation with Legal Experts
Consult or seek legal advice from data protection experts to ensure compliance with relevant regulations. Legal experts can give guidance on whether notification is necessary.
10. ICO Guidelines
Refer to the Information Commissioner’s Office’s (ICO) guidelines and recommendations on data breach notification. The ICO may establish precise criteria or thresholds for reporting breaches in your jurisdiction.
How to Report a Data Breach
When reporting a data breach to the Information Commissioner’s Office (ICO), ensure it contains:
1. Situational Analysis
Provide a comprehensive overview of the data breach, including:
- Describe the initial damage by explaining how the data breach was discovered when it happened and any actions taken to contain it.
- Impact on your organisation’s operations, reputation, and finances.
- Cause of the data breach by identifying the source or root cause of the breach, whether it happened because of human error, technical failure, or cyber attack.
2. Assessment of Affected Data
- Determine what categories of personal data have been compromised. Provide details, such as names, financial information, addresses, or health records.
- Determine how many records or individuals were affected by the data breach. This helps the ICO understand the incident’s scope.
3. Description of the Impact
- Explain the possible consequences of the data breach for the affected parties. For example, if sensitive personal data was exposed, mention the risk of identity fraud or theft.
- Discuss whether affected individuals have been notified of the data breach, and if not, explain the delay.
4. Report on Staff Training and Awareness
- If the breach resulted from human error, determine if the employee(s) involved had data security training within the last two years.
- If training was offered, include details of your employee security awareness training program to demonstrate your commitment to preventing future breaches.
5. Preventive Measures and Actions
- Describe the security measures and actions in place before the breach. This includes access controls, security encryption, and monitoring systems.
- Explain the efforts made to reduce the damage and avoid similar future breaches. Highlight any immediate measures, such as strengthening or closing security vulnerabilities.
Provide the contact information for your organisation’s Data Protection Officer (DPO) or the employee in charge of data protection. This individual is the point of contact for any subsequent ICO queries.
Keep records of any communications with the ICO, including letters, emails, and any extra information requested by them.
Creating a Data Breach Response Plan
The specifics of your breach response plan will vary depending on your organisation’s needs. However, ensure that your response plan includes:
- Your company’s definition of a data breach and how employees can identify one
- The roles and responsibilities of every member of your breach response team
- Clearly specify procedures and commands for reporting a data breach
- Plans to analyse, identify, and eliminate any security gaps that contributed to the data breach
- Plans for dealing with different types of data breaches with different levels of risk involved
- Plans for notifying relevant supervisory authorities, law enforcement, and affected data subjects about the breach
- Ideas for determining the success or failure of your mitigation efforts
- Lists of your post-breach obligations under service agreements, insurance policies, and any other third-party contracts
- Full record-keeping and documentation processes
- Regularly schedule reviews and tests of your data breach response plan.
Frequently Asked Questions on How Quickly a Data Breach Should Be Reported
1. Where do I report a data breach?
You should report to the Information Commissioner’s Office (ICO) if the data breach involves the loss or breach of sensitive personal information that puts the affected individuals at risk of harm or other adverse consequences. Timely and accurate reporting is important to comply with legal requirements and mitigate the potential consequences of a data breach.
2. What must a company do after a data breach?
The first goal should be to remain calm and act quickly. Stop the breach by unplugging affected devices from the network and notifying the IT department. Determine what data has been compromised and what measures must be taken to assess the damage. Then report to the ICO as the General Data Protection Regulation (GDPR) recommends.
3. What happens if a data breach is not reported?
Failing to report a data breach can result in financial, reputational, and operational consequences and severe fines and penalties. Compliance with data breach reporting obligations is key in mitigating these risks and demonstrating a commitment to data security.
4. What data constitutes a data breach?
A data breach is any security event in which unauthorised parties get access to sensitive data or confidential information, such as personal data (bank account numbers, National Insurance Numbers (NINs), healthcare data) or corporate data (intellectual property, customer data records, financial information).
Featured Image Source: Towifiqu Barbhuiya on Unsplash.com