Data Breaches happen all the time. It’s difficult to get a clear statistic on exactly how exactly how common they are (a recent survey suggests that over %50 of organizations have had a breach in the past year). Last year nearly 2,300 data breaches were reported to the Office of the Data Protection Commissioner. This is only reported breaches, of course. A good number of smaller breaches would not have required notifying the DPC, and there is of course always the possibility of larger breaches where the DPC should have been notified but wasn’t . . . and the possibility of breaches that hadn’t yet been discovered.
Clear, practical training and consistent, realistic policies and procedures will help mitigate the risk of breaches. But when a breach does happen, you need to know how to respond and have a plan. It is vital to have a response strategy ready so that you can respond quickly and efficiently to minimize damage.
While the most highly publicized data breaches may be due to external attacks, most breaches are caused by simple human error. According to the Data Protection Commissioner, “The principal causes of data breaches were human error and not systemic, such as the inclusion of the wrong bank statement in the wrong envelope, or the attachment of the wrong spreadsheet to an email.” Human factors require support and mentoring.
It is very important to consider the “human factor” when developing a response plan.
- First of all, stay calm and don’t blame anyone. Our emotional response we have to finding out about a data breach we may have been involved in is similar whether we were the data subject whose information has been breached or the controller responsible for the data that has been breached – feeling loss of control, and fear about what will happen. This can easily lead to panic, but it’s counterproductive. As my favourite 900-year-old wise guy said, “Fear is the path to the Dark Side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.” And while Sith lords may have a keen sense of style, their typical response to human error is somewhat lacking.
- Speaking of support and mentoring, responding to a loss of control by punishing your subordinates is a good way to make sure people hide data breach risks in the hope that nobody will notice and the problem will just go away. (I certainly wouldn’t have wanted to be the one to suggest to Lord Vader that there might be a security risk to the Death Star involving the thermal exhaust port. I mean, what are the odds that it will really be a problem?) This is when small breaches turn into large headaches.
choking coaching our clients, we advocate creating a solution focussed, blame free culture where people feel free to report any risks so that they can be mitigated. Knowing the risks and finding solutions are far more important than apportioning blame. A blame free reporting culture also helps your organization to learn from near-misses, so you can fine-tune your procedures to mitigate risks as well as honing your breach response. Focussing on lessons learned gives you ways to improve your treatment of data as an asset and minimize the risk of breach.
- What governance procedures could be put in place to ensure data is treated properly and risk is minimized?
- Are you keeping data longer than you need to?
- Do you have procedures in place to promptly notify the people affected and reassure them you are doing what you can to protect them?
A prompt response to a data breach reduces headaches on all sides. Know how to respond, and have a plan. Approach the management of data breach risk strategically but pragmatically, and be sure you can learn from near-misses.
Ultimately, a blame-free culture is not the same as a responsiblity or accountability free culture. However, if people feel they can raise their hands to an issue, point out concerns, or acknowledge their role in an incident without being choked by the boss, chances are they will engage more willingly in the preventative controls, and remediation activities that need to be in place to address Data Breaches.
Top Tips When a Breach Happens:
- Stay calm
- Focus on the issue, the root causes, and evidence gathering
- Stay calm
- Have a rehearsed breach response plan that sets out everyone’s role
- Stay calm
- Don’t jump to conclusions about causes. Speak with data
- Stay calm
- Involve the appropriate law enforcement and relevant service providers
- Stay calm
- Notify the Data Protection Commissioner if required.