IT's secure role
Organisations need IT and security specialists to ensure the privacy of their precious data. If they don't, then they don't deserve to be in business. Between them, these specialists and others (the executive team, the board, legal, data protection, customer managers and PR, for example) manage all the processes around data breaches and their consequences.
In the event of a breach of personal data, you have 72 hours to assemble as much information as possible before notifying the ICO of a breach. While it might be tempting to expend energy on blame, it is best to park that and focus on what happened, to what data, whether it's really personal, the likely scale and impact of the breach, including second and third order implications.
Avid Life Media ran websites that facilitated affairs between its customers. It gave the hollow promise that personal data would be "anonymous" and "100% secure." A hacker stole 36 million personal records from two of its websites and threatened to publish the data if the websites weren't closed. They weren't and the records were made public. The hacker originally entered the system by using a company insider's login details.
A report on the ALM breach by the Privacy Commissioners of Canada and Australia included the statement, "It is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external). This is especially the case where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected." Such harm, in this case, could include reputational damage, suicide and the financial and emotional fall-out from divorce, for example.
Depending on your company's professionalism with respect to personal data privacy, the UK's ICO can react in a variety of ways from providing advice to imposing a fine of up to 4% of annual worldwide company turnover. It is vital, in the interests of protecting data subjects, that organisations move swiftly following the discovery of a breach in order to protect those whose data they hold.
Any company facing a serious data breach will be able to turn to their Data Protection Officer (DPO) for guidance through the minefield of gathering, organising and reporting details to the ICO. Others in the company will be able to help and advise on notifying those affected by the breach. Some marketing-focused organisations have found it hard to resist putting promotional messages in their notifications - "We're really sorry this has happened but click here to get your special discount on your next order." Resist the urge. Stick to the facts and, if you want to, send a separate email offer a little later.
The most important thing for all organisations is to have security procedures in place and for them to be shared and understood by everyone in the company that will be affected by them. Even if the approach is off-the-shelf, its implementation will vary by company. Sample incidents need to be created and procedures tested with all involved in order to prove their practicality.
If your department is handling personal data and you know nothing of these procedures and tests, then you need to investigate. Remember, in the event of a breach discovery, you have only 72 hours to give the ICO a meaningful reaction. You wouldn't want to be inventing procedures on the fly.
Sometimes it's hard to get all the information together within the 72 hours or perhaps you're not even certain that any personal data has been lost. In either case, the ICO still expects to be notified and kept up to date reasonably quickly after the initial deadline.
Decent data protection procedures that are followed will go a long way to spare you a fine. It's the deniers, the duckers and divers that tend to get it in the neck. Often very publicly and with great consequent harm.