What to do when you have had a notifiable data breach
With 1 in 4 businesses likely to experience a data breach at some point over the next two years, organisations that disregard the importance of data security do so at their own risk1
A data breach is an event in which an individual’s personal information, such as medical records, financial information or contact details, is potentially put at risk either in paper format or electronically. According to the results of the Ponemon Institute’s 2017 Cost of Data Breach Study, the average total cost of a data breach in 2017 cost Australian businesses on average $AUD 250 per year, which takes into account the unforeseen wider costs such as reputational damage from the disclosure of sensitive information, client loss and in-house investigations and communication.
Although a malicious attack is likely to be the most catastrophic in economic terms, and account for half of all data breaches, it is not just criminals and hackers that are the root cause. The Study identified an alarming number of system glitches (25%) and human errors (28%) that have also been the cause of a breach in the countries studied.
Several factors can minimise the financial and reputational impacts of a breach, with quick response times and early detection being the two most significant ways. Here are five critical steps your business should take to if they experience a data breach.
- Activate your response team
A prepared incident response team, as identified by the Study, is one of the most influential factors in decreasing costs. As soon as you become aware of the breach, your response team should be immediately alerted.
The team should consist of a mixture of staff who have decision-making authority and should be well established in advance of a data breach event, ensuring that procedures and reporting mechanisms are in place and available for immediate use. All employees must know who the response team members are and the timelines and steps they need to take to notify the response team.
- Contain the breach
It’s important to find the source of the breach as quickly as possible. A data breach can be physical, such as the theft or loss of documents or paper-based records, or electronic, such as an email phishing attack or a lost laptop. Containing and isolating the problem could be recovering or tracing lost documents, closing off part of your network, finding lost materials or changing security access to your building.
- Assess the risks
After you have activated your response team and identified and contained the data breach, it’s important that the significance and sensitiveness of the breach is assessed and responded to accordingly. Gather and evaluate as much information about the data breach as possible, being careful not to destroy evidence that may be valuable in identifying the cause of the breach or will assist you to address the risks posed by the breach. Breaches caused by human error, for instance by incorrectly storing or losing documents, can be mitigated by clear document security policies including securely shredding documents once it is appropriate to do so.
You should also consider how you will notify the individuals affected. It is a legal requirement under the Notifiable Data Breach scheme to notify individuals and the Commissioner about data breaches that are likely to result in serious harm2 (OAIC, 2017). For assistance in ascertaining when a breach may require notification, refer to The Notifiable Data Breach Scheme (NDB) and What it Means for Your Business White Paper for more detail.
Depending on the nature of your business, under certain legislation, such as the new EU General Data Protection Regulation (GDPR), relevant businesses are required to provide notification within 72 days of discovery.
- Put safeguards in place
After identifying the cause, your business should do a forensic deep-dive analysis to ensure that the problem does not reoccur. Evaluating your existing policies and procedures around data management and security including a review of how collected data is managed and document shredding procedures, may help you understand how the breach occurred to avoid it in the future.
Such a review may involve putting new systems or processes in place which should be communicated to staff. Partnering with a document destruction company that has a secure chain of custody and provides destruction of both paper and digital data may also help win back your customers’ confidence, knowing that their data is protected.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote.
1Ponemon Institute LLC, 2017, 2017 Cost of Data Breach Study.
2Office of the Australian Information Commissioner (OAIC), 2017, Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)
US $1.92 million converted to AUD 6 April 2018