How to Handle Privacy Breaches inside your organisation.
A privacy breach is somewhat of a worst nightmare for many businesses and their customers. The lack of information when they are first discovered often induces confusion and decision paralysis. Many questions are thrown up, often without clear answers.
What happened? Who as affected? Are we still vulnerable?
Breaches are becoming more common as more information is hosted and exchanged digitally, and it is increasing the expectation from customers and regulators that businesses and agencies have prepared themselves for any such event.
So, what does a proper response to a privacy breach look like?
Be proactive
Monitor your network for potential breaches. Put in place processes to collect and audit access logs, test your security, ask your customers and clients to report if they see anything suspicious that might indicate their data has been breached.
A plan already should be in place for when a breach is discovered. When a breach is discovered – and there are many varied ways that happens – the party that is first notified should be able to immediately reach for the breach response plan.
The plan would then layout the exact steps to take, to respond. It should be specific, including who to contact and how, what information to record and where to report it. The plan should also cover how to identify whether there is legal or regulatory requirement to report the breach, such as part of the OAIC’s Notifiable Data Breach scheme.
Be responsive
Discovery of a data breach is a time for action. Early interventions are important in controlling the scale and impact of the breach.
Ensure processes are performed efficiently and quickly, with key people prioritising breach response over the everyday needs of business-as-usual operations. Systems administrators and operators should be involved closely and the breach response should be a collaboration between the business and IT stakeholders so that risks are understood, and mitigations can be put in place.
Affected parties, such as customers, should be contacted as soon possible and given adequate and specific advice. Delays in releasing information due to individuals waiting on responses from others can needlessly increase the harm caused by breaches, even if the breach is judged to be contained.
Be transparent and communicative
There is often a fear and reluctance to let effected parties know that their information has been subject to privacy breach. This cautiousness results in convoluted approval processes for information release being put in place, which act as obstacles to transparency and open communication.
A notification of a breach that comes via a carefully worded snail mail letter – sometimes six months after the breach has occurred – does not reassure customers. Organisations need to reinforce that they are to be trusted with personal information. This means getting in contact quickly through preferred communication channels, advising affected parties about what is known about the nature of the breach, giving them specific advice on what actions can be taken at that moment, informing them when they will be receiving updated information, and providing them with a contact point.
The general wording and distribution of this communication can be planned before any breach occurs. As a principle, there should be no hiding from accountability and transparency. This has the potential to increase reputational damage.
Share knowledge
Privacy breaches can have a multiple of complex causes, and mitigation efforts can be similarly multitudinous. One of the positive results in this are that a transparently handled privacy breach can give you a great insight into the vulnerabilities, risks and behaviours of your organisation.
What caused the breach? What it due to the type of information that was collected? The way it was transmitted and stored? The way staff or customers use your systems?
This information is valuable, and should be shared through the organisation, and with your contracted service providers who handle and help protect your data. If you can use a data breach to improve your privacy risk profile, your organisation can put in place changes which better protect your data and help support breach response procedures if a future breach should occur.
So what benefit is realised through good breach response practices? It isn’t just about meeting regulatory requirements and avoiding legalities. There are tangible business benefits to having good response processes in place.
- A quality response supports customers and the business more generally. Privacy breaches are stressful. Good response activities relieve stress on staff, they protect customers and they demonstrate the strengths of an organisation.
- The scale, size and impact of breaches can be limited. Simple responses made quickly and communicated widely often provide the greatest protection against increasing harm to customers, clients, staff and the organisation more generally.
- The potential for reputational damage resulting from privacy risks is serious. However, a well-executive privacy breach response not only limits this damage but also allows your organisation to demonstrate good practice. This can reassure customer and clients, whose trust in your organisation may increase through what they see as a strong and responsive action to prioritise and protect their interests.
- Proper response takes effort and planning, and this comes with a cost. This is on top of any costs that are incurred as a result of the breach and the subsequent mitigations put into place. These costs however can be realised as an investment in privacy and data protection. The trust built with staff and customers, the valuable information gathered, the stress testing of procedures and practices, and the improvements made to processes and system design that result are all tangible returns for this investment. Improper and inadequate breach response produce none of these, and the cost and effort spent, is a liability.
If you need support or insight with understanding your best, next step when it comes to developing incident response processes, or any other privacy concerns, get in contact with our friendly team at Doll Martin Associates to set up an obligation-free chat.