With the focus of hackers shifting from targeting weaknesses in technology to now targeting humans, the biggest problem with data security breaches for many companies is the lack of a response plan on how to deal with the breach.
Bryan McCarthy and Finín O’Brien from Ronan Daly Jermyn’s Cyber and Data Protection Group summarise the current law and outline a steps plan for responding to a data breach, the legal implications and notification requirements, and how the GDPR will affect this area.
The current legislation and response plan
The Data Protection Acts 1988 and 2003 (the “DPA”) impose obligations on data controllers under section 2(1)(d) to take “appropriate security measures” to protect the security of their data. A data controller can be fined up to €100,000 by the Data Protection Commissioner for failure to comply with the DPA, however, the disruption that can be caused for a business, coupled with the publicity and brand damage, is often far more of an incentive for companies to prepare for inevitable data breaches.
There are numerous ways to implement appropriate security measures to try and prevent a breach. This may include completing an audit of the company’s data structure and processes, conducting privacy impact assessments, implementing privacy by design to ensure data at every level of your business is protected, employee training and the preparation of a Security Breach Management Plan.
In the event of a breach, a company should take the following practical steps:
Consult your company’s Security Breach Management Plan
This should be your company’s ‘go-to’ document in the event of the breach. It should contain a clear plan setting out the initial and immediate processes that should be put in place to secure systems and prevent further damage being caused by the breach.
Mobilise the pre-assigned Response Team
In the same way that a company likely has employee fire marshals in place in the event of fire, a data breach event too should have a pre-designated Response Team. A data breach Response Team that knows their roles and exactly what to do can save vital time at the key initial moments of a data breach.
A data breach Response Team that knows their roles and exactly what to do can save vital time at the key initial moments of a data breach.
Identify what breach has occurred and take appropriate steps
Any response should be a full company response so that every part of your enterprise is working in sync. This includes management and employees liaising with the Response Team and the IT team to ensure that key information is passed between all parties so that the breach can be dealt with as quickly and efficiently as possible. Forensics should be initiated where appropriate and the company’s cyber insurance cover should be reviewed.
Consider your notification requirements
The DPA do not specifically set out any legislative requirement to notify the Data Protection Commissioner in the event of a breach. That being said, the Data Protection Commissioner published a guideline, Personal Data Security Breach Code of Practice, on 10 July 2010 which sets out a data controller’s notification obligations. One such obligation is that all incidents in which personal data has been put at risk should be reported to the Data Protection Commissioner as soon as the data controller becomes aware of the incident.
There are exceptions however and notification will not be required where:
(a) the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s); and
(b) it affects no more than 100 data subjects; and
(c) it does not include sensitive personal data or personal data of a financial nature.
If there is any doubt however, the Code states that the data controller should report the incident to the Office of the Data Protection Commissioner.
Consider the Public Relations implications and your response (if any)
There are currently no requirements under the DPA for data controllers to notify affected data subjects of a breach (only a requirement to notify the Data Protection Commissioner). Every company will have to consider how they deal with informing those affected and/or the general public and the implications this may have.
Record all actions taken
Keeping a record of every part of response to a data breach can result in the gathering of vital information for the business for dealing with future breaches.
Review the outcome of the breach and the effectiveness of your response
After every breach, an assessment should be completed on the effectiveness of the response, where the Response’s Team actions were effective and where improvements can be made.
Plan on how such a beach can be avoided in the future
A detailed review of the breach, the response, and the final assessment and using the information to plan for and guard against future attacks is often the best form of defence to future data breaches.
Forthcoming legislative changes
From 25 May 2018, the GDPR will impose greater obligations on data controllers. Not only will data controllers be required to implement “appropriate technical and organisational measures” throughout every part of their system processes, they will also have to be able to demonstrate compliance in this regard.
Stricter obligations around data security will also be accompanied by more onerous notification requirements for data controllers. Article 33 of the GDPR introduces an obligation to report all breaches to the Data Protection Commissioner “without undue delay” but not later than 72 hours after having become aware of it. Notification will not be required however where the breach is unlikely to result in a risk to the data subjects. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must communicate the breach to the individual data subject in clear and plain language without undue delay.
Notification will not be required however where the breach is unlikely to result in a risk to the data subjects.
A data security breach is an inevitability for almost all companies today. It can have disastrous consequences for a business, from the loss of information and the corruption of system processes to the publicity implications, and that is before any legal and financial ramifications are considered. The GDPR is only a year away and with it is coming greater security and notification obligations.
Is your company ready?
Contact the authors
Bryan McCarthy, Partner, Head, Cyber and Data Protection Group, email@example.com, +353 1 6054203
Finín O’Brien, Solicitor, Cyber and Data Protection Group, firstname.lastname@example.org, +353 1 6054217
About Ronan Daly Jermyn
Ronan Daly Jermyn is a top 10 Irish law firm with offices in Cork, Dublin, Galway and London and strategic alliances in the US, Europe and Asia. The firm was recently voted Irish Law Firm of the Year 2017 at the Irish Law Awards.