In the hyper-connected world of today, these breaches are a threat to both organizations and people. Teams in charge of security no longer ask themselves if an attack is coming, but when and how to plan for it. When a business has a data breach, it faces a wide range of effects and risks that can hurt them in many ways, and figuring out what happened can be very expensive. When companies invest in information security, they often do so to protect their private data and the personal information of their customers. In the past few years, privacy problems have been reported often enough to make people wonder if companies have the right incentives to keep customer information safe.
As organizations store and process more personal information, the information systems they need to keep it safe also become more complicated. There is a link between this data trend and a rise in the number of privacy incidents. No matter how many security measures you put in place, you can never be sure that no one will get in. If there is a breach, the regulator could look into it, which could lead to enforcement action against your organization. It is important to be ready.
You need to know how to spot a breach, report it, and deal with it. Even though it is possible to do all of this if one happens, it will be much harder to take the right steps if you have not planned your procedure ahead of time because you only have a short time to tell the regulator.
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples of a breach might include:
- loss or theft of hard copy notes, USB drives, computing devices containing personal data
- an unauthorised person gaining access to your laptop, email account, or computer network
- a bulk email using ‘to’ or ‘cc’, but where ‘bcc’ (blind carbon-copy) should have been used
- a disgruntled employee copying a list of contacts for their personal use
- a break-in at the office where personnel files are kept in unlocked storage
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- alteration of personal data without permission; and
- loss of availability of personal data.
A personal data breach is a security incident that affects the privacy, availability, or accuracy of personal information. In short, a personal data breach happens when personal information is accidentally lost, destroyed, corrupted, or shared; when someone accesses the information or gives it to someone else without permission; or when the information is made unavailable, and this makes people’s lives much worse.
According to Recital 85 of the UK GDPR:
“A personal data breach may if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
This means that a breach can hurt people in many ways, including making them feel bad and causing them physical and material harm. Some leaks of personal information would not do much more than making it hard for people to do their jobs if they need the information. Other breaches can have big effects on the people whose personal information has been stolen. You need to look at each situation and decide how to handle it.
For example, if someone stole a customer database, people’s information could be used to commit identity fraud. The people who could lose money or have other bad things happen to them would need to be told. So, when you find out about a breach, you should stop it and figure out what bad things could happen to people based on how bad or big they are and how likely they are to happen. A direct penalty from a regulator is the most immediate punishment for a privacy breach. In addition to the immediate costs, a privacy incident can have indirect effects that last for a long time. Privacy is a key part of the trust, and trust is a key part of privacy. An incident can damage a customer or partner relationship built on trust. When a company admits a breach, public trust can be lost, and that reputation loss can have measurable ramifications for the company’s market share. It is important to note that consumers retain a negative impression of responsible firms and will alter their consumption patterns. Again, a firm might face higher insurance premia for liability after a breach, and future business partners might be less inclined to trust the firm.
Keeping a clear record of breaches will help you to meet accountability requirements and is an appropriate measure to ensure the security of processing. These records will allow the regulator to verify that compliance with the reporting of relevant breaches is happening.
You will also need to act on any breach to reduce the risk of reoccurrence. Identifying patterns or gaps in your practice is important, and keeping records shows that you’re taking responsibility for what happened.
You can choose how you keep this record. It could be a long-form written document or a spreadsheet. It is advisable to record:
- the date that the breach happened
- when it was identified and by whom
- if and when the regulator was notified
- the nature and circumstances of the breach
- what types of personal information was involved
- how many people were affected
- likely effects of the breach, especially if there is evidence of effects
- if a breach was not reported to the regulator, the reasons for this decision
- remedial action taken to remedy the breach and prevent reoccurrence
- any other information you think relevant
Consequences of a Data Breach
Data breaches can cause significant harm in multiple ways. Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harmful to their physical or mental well-being, financial loss, or damage to their reputation. A data breach can also negatively impact an entity’s reputation for privacy protection, and as a result, undercut an entity’s commercial interests. Privacy protection contributes to an individual’s trust in an entity. If an entity is perceived to be handling personal information contrary to society’s expectations, individuals may seek out alternative products and services. An entity can reduce the reputational impact of a data breach by effectively minimising the risk of harm to affected individuals, and by demonstrating accountability in their data breach response. This involves being transparent when a data breach, which is likely to cause serious harm to affected individuals, occurs.
Transparency enables individuals to take steps to reduce their risk of harm. It also demonstrates that an entity takes its responsibility to protect personal information seriously, which is integral to building and maintaining trust in an entity’s personal information handling capability.
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact author email@example.com or Mobile: +233-243913077