The management of a data breach is a complex and rather critical activity that must be studied and prepared in advance regarding the prevention and management phase. When we talk about data breaches, generally, the event that negatively affected personal data has already happened.
Therefore we have already entered that “emergency” phase that must be managed both from a procedural and a reputational point of view. Within a company or a professional context, everyone must know perfectly what to do and when to do it, so the data breach must also be addressed in a preventive phase to manage it correctly at the time of its verification.
What Is A Data Breach?
Let’s start first with the definition of the data breach. With this term, in fact, in many situations, erroneously, the only hacker attack that blocks and prevents the use of the personal data processed is identified. On the other hand, the data breach must be qualified as any security breach that involves – accidentally or illegally – the destruction, loss, modification, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.
Therefore, it is an event that affects the availability, integrity, or confidentiality of data. Starting from this concept, outlined in its correct characteristics, means understanding the dimension of the event and identifying, consequently, the correct actions and procedures to be implemented. The loss of data availability certainly derives from a hacker attack, ransomware, and theft or loss of a device or a USB stick.
In the same way, the manipulation of the data carried out by an unfaithful employee or the insertion of data that may in some way “pollute” those present in a database represents an event that affects the integrity of the data (think, for example, to the results of clinical examinations), just as access or consultation carried out by an unauthorized third party affects the confidentiality of the data.
In all these cases, therefore, there is a data breach. Therefore, the correct procedure must be activated both regarding the (possible) reporting to the Guarantor and the (also in this case possible) communication to the interested. Both of these communications presuppose a careful assessment and analysis of the event that occurred and the possible effects it may have, assessments that require adequate training and knowledge of specific company procedures.
Prevention: Training And Policy
Staff training and company policies are essential elements of the prevention measures of a data breach. Employee training is part of those technical or organizational measures adopted for corporate compliance. It is necessary to assign roles and responsibilities so that everyone knows exactly what to do and how to do it in the moment of maximum criticality.
The management of a data breach, regardless of the severity of the same, cannot be improvised, and every single action must be carried out according to the procedures previously prepared, in such a way as to manage any emotional aspect that could negatively affect the correct management of the breach. Establishing the procedures in advance means implementing a real emergency plan, with defined and bounded roles and activities, so that there are no overlaps or, on the contrary, shortcomings that expose, consequently, to further negative effects.
Data Breach: Reporting To The Guarantor, When It Must Be Made
Without delay and within 72 hours of the discovery of the data breach, the owner must notify the Supervisory Authority of the violation ” unless it is unlikely that the violation of personal data presents a risk to the rights and freedoms of individuals. If the notification to the supervisory authority is not made within 72 hours, it is accompanied by the delay. The notification to the Guarantor undoubtedly represents one of the crucial nodes of the data breach, which necessarily passes from the correct qualification and understanding of the specific characteristics of the event.
Does every data breach have to be notified? Does it need to be noted in some way? As? Where is it? Not all data breaches must necessarily be notified to the Guarantor, at least in the 72 hours following the discovery of the event. The notification could become necessary after a certain time frame from the event. Consider, for example, the loss of an encrypted USB stick. In this case, encryption could lead to thinking that notification is unnecessary because this security measure would make the risk for the rights and freedoms of the data subjects very low.
However, two different aspects need to be considered. The first concerns the effectiveness of the cryptographic key used and its validity over time. In essence, the cryptographic key that today guarantees a high level of protection (hence the assessment of the need for notification) could in a few months have reduced effectiveness due to technological advances and the possibility, in the specific, to be easily decrypted. In this case, therefore, the notification should be made later, also following a different assessment than that made immediately after the event.
Here, therefore, the individual data breaches, even if not notified, must be monitored over time since, as mentioned, technological evolution can change the characteristics of an incident and make different and further activities necessary in the overtime. From this point of view, the importance of the register of violations derives from a register in which all incidents must be recorded. Regardless of the notification to the Guarantor, it is constantly updating and monitoring individual breaches.
Data Breach: Communication To Interested Parties
Last, but not least, the aspect to consider is the communication to the interested parties. Under Article 34 of the Regulation,” when the violation of personal data is likely to present a high risk for the rights and freedoms of individuals, the data controller communicates the violation to the interested party without undue delay. “
In this context, there is the need for a careful evaluation of the characteristics of the accident since the obligation to communicate directly to the interested parties derives directly from these. In any case, this is not a minor problem. The analysis must concern the need to carry out the communication and the concrete ways in which to carry it out and protect one’s reputation.
What To Do In Case Of Violation
A few rules can help you manage and protect your web reputation in basic ways and are dictated by common sense.
- Never deny what happened: the truth can be discovered easily. Denying an incident in the face of an actual breach is not a fair strategy as the attacker could deny it by providing evidence of the incident and data breach.
- Never give information if you are not sure of what you are communicating: if you are not sure of the disseminated information, it is advisable to avoid providing details, but, on the contrary, it is advisable to give general information and postpone the details—at a later time, indicating that periodic updates will be given.
- Admit the problem and reassure the activities that are being carried out to solve the criticality and prevent it from occurring again in the future.
- Never place the blame on third parties by pointing the finger at specific subjects: blaming a hacker when it comes to a different problem is a completely wrong move that can be easily denied and consequently expose the company to further reputational problems.
- Respond to requests for information from interested parties: requests must be met with an appropriate tone and content, giving precise information about individual requests. Suppose you are unable to provide the information requested. In that case, you will have to explain the reason and send the interested party for further updates (which obviously must be given as soon as available).
Also Read: Bitrix24: Complete Software For Your Company
