How many data breaches can you name? There was Yahoo a few years back, of course. The NHS fell foul of cyber attackers recently, Sony was all over the news in 2014 after a major hack. These high-profile cases are the ones that make headlines, but cyber attacks don’t just happen to giant organisations with lots of data. Far from it.
The UK Government’s latest Cyber Security Breaches Survey found that nearly half of all businesses in the UK fell victim to a security breach in 2018. Attacks are becoming more frequent and widespread, and less discriminatory with who they target. If you haven’t already, there’s a near 50/50 chance you will be hacked in the future.
So, what do you do if you have? Aside from informing your customers, you’ll likely need to tell the UK’s data watchdog – the Information Commissioner’s Office (ICO). So let’s take a look at when you need to report a data breach, the reporting process, and what to expect when you have to get in touch.
When does the ICO need to know about a breach?
Before getting into the nitty-gritty, it’s worth printing the ICO’s definition of a data breach: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. If you think that’s happened to your business, there’s a high chance you’ll need to get in touch with them.
But you don’t have to report all data breaches to the ICO. If you’re unsure, there is a useful, two-minute self-assessment tool available on their website which will tell you whether or not you need to report a breach to them or simply keep a record of it. In short, though, they are concerned with breaches that put individuals at risk or put people’s rights and freedoms in jeopardy.
There are some instances where reporting a breach is mandatory in all cases. Telecoms providers or internet service providers are required to notify the ICO if any personal data breach occurs. NIS breaches and eIDAS regulation breaches also have to be reported. These are both EU regulations, and the ICO acts as the relevant supervisory body in the UK.
NIS regulation relates to companies “providing digital services such as online marketplaces, online search engines and cloud services”. Operators of Essential Services (OES) are also affected by NIS regulation. These are organisations “deemed critical to the economy and wider society”, which is a pretty rarefied category.
An eIDAS breach concerns businesses providing “a trust service”. Trust services verify the identity of a sender of an online message and the integrity of messages that are exchanged through the Internet. So, think website certificates and identity verification.
If you do need to report a breach, the General Data Protection Regulation (GDPR), which came into force on 25th May 2018, requires businesses to do so within 72 hours of becoming aware of the issue. ‘Aware’ is the key word here. It’s 72 hours from the time you noticed the breach, not necessarily when the breach happened. So where to start?
What’s the process from beginning to end?
Your first priority after detecting a breach is ascertaining that there’s no further risk. If it’s a cyber incident, then you make sure that that cyber incident is mitigated against, and that the avenue of data-harvesting, or data-gathering, is stopped.
At the same time, there should be a person working on notifying the ICO. The notification doesn’t need to be complete at the get-go. It can be, ‘We have a problem. We don’t know the details yet and we will update you as soon as we can.’
The form you need is available on the ICO’s website. It’s is a tick-box form with a few opportunities to enter in some information. Get this out the door quickly and continue your investigation into the breach. You need to figure out:
- How the breach happened
- How many people are affected
- The type of data that’s involved
- The variety of categories of information that are involved
- How likely it is that individuals are going to be affected by that breach
Once you’ve ascertained this information, go back to the ICO as soon as possible and update them. Depending on the severity of the incident, you may need to make a decision as to whether you inform the affected individuals.
This has to be done publicly. Unless you’re Facebook and the breach will be widely reported in the press, you’ll need to opt for more manual notifications. That can be an email, a phone call or even a letter. It depends on the contact information you have for those individuals.
Customers will want to know what’s happened to their data, they’ll want to know what categories of information have been breached, and they’ll want to know what to do next. Tell them everything you know and offer advice on what to do. Should they, for example, change their passwords? Commit, in writing, to keeping them aware of any developments, and follow through.
Remember: Customers can complain to ICO, too. If what you’re saying to clients and what you’re saying to the ICO doesn’t match up, that’s when an investigation is likely to start.
What are the ICO like to deal with?
The ICO is very direct and to the point. In most cases, you can expect a week to pass before you receive a reply. So don’t worry about the radio silence, that’s normal and purely related to the workload that they’re under.
As long as you report within the timeframe required – 72 hours – you can sit back and wait. If you haven’t heard after a week, or five working days, then pick up the phone and call them. There’ll be a reference number on the automated reply you received initially. You’ll need this number when you call.
Be prepared for some questioning when you hear back. The ICO will quiz you on any discrepancies in your report. They will also ask for more detail, specifically around whether you’ve notified the people affected, or if you haven’t, when you will do so.
In our experience, they’ve always been fair and, in some cases, quite lenient if the incident is appropriately and promptly reported.
Get the process right
The ICO has deliberately kept the reporting process simple. All that’s required on your part is to act quickly and in good faith. Breaches do happen and the first priority is the safety and security of the individuals affected.
Get ready now. Who is your data protection officer? How will customers be notified after a breach? And, more importantly, what can be done to prevent a breach before it even happens? You do not want to answer these questions in the immediate, confusing aftermath of a cyber attack.
By acting swiftly and honestly — and armed with the right tech to identify the issue — you can restrict the harm caused to your customers and to your business.
Cyber attacks have become the norm in business over the past three years. Find out how you can protect your business with ThreatAware’s complete guide to cybersecurity.