4 easy guides to data breach assessment
A data breach refers to an incident exposing personal data in an
organization’s possession or under its control to the risks of unauthorized
access, collection, use, disclosure, copying, modification, disposal or
similar risks. Data breaches often lead to financial losses and a loss of
consumer trust for the organisation.
It is important for organisations to be accountable towards individuals to by preventing and managing data breaches through data breach assessment. This Guide is intended to help organisations manage data breaches effectively.
Monitoring by organizations
Data breaches can occur due to various reasons, such as malicious
activity, human error or computer system error. It is important for organisations to put in place measures which allow them to monitor and take preemptive actions before data breaches occur.
- Monitoring of inbound and outbound traffic for websites and databases for abnormal network activities.
- Usage of real-time intrusion detection software designed to detect unauthorized user activities, attacks and network compromises.
- Usage of security cameras for monitoring of internal and external perimeters of secure areas such as data centers and server rooms.
Data breach assessment plan
Planning data breach assessment is best done early. Organisations that do not have a data breach assessment plan in place will find it chaotic and challenging when faced with an actual data breach. Having in place a robust data breach assessment plan helps organisations to manage and respond to data breaches more effectively.
- A clear explanation of what constitutes a data breach (both suspected and confirmed) – This will assist employees in identifying a data breach and respond promptly should one occur.
- How to report a data breach internally – The role of each employee is important in reporting data breaches. When an employee becomes aware of a potential or real data breach, he or she should know how and who to report the data breach to within the organization with expertise in handling data breaches, the data protection officer, senior management representative, data breach assessment team.
- How to respond to a data breach – The strategy for containing, assessing and managing data breaches would include roles and responsibilities of the employees and data breach management team. Organizations can also consider preparing contingency plans for possible data breach scenarios and measures to be taken or run regular breach simulation exercises to better prepare themselves for responding to data breaches in a prompt and effective manner.
- Responsibilities of the data breach management team – The composition and the roles and responsibilities of each member of the management team should be clear. In addition, a clear command and reporting structure of personnel at the management level who would be responsible for assessing the risks and making time-critical decisions on steps to be taken to contain and manage the data breach should be clearly established and documented. This will ensure that the organization’s response to the data breach will not be unnecessarily delayed.
4 easy guides to data breach assessment
Staff should report all suspected/confirmed data breaches to a specific individual or individuals, with expertise in handling personal data and data breaches immediately.
Data breach management team should conduct an initial assessment of the data breach to assess the severity. This should include the following:
- Cause of the data breach and whether the breach is still ongoing
- Number of individuals affected
- Types of personal data disclosed
- Systems and/or services affected
- Whether help is required to contain the breach
Act swiftly to contain the breach (i.e. taking immediate steps to limit any further access to or disclosure of the personal data). Record the data breach and the organization’s response(s) in an Incident Record Log.
Data Intermediaries should report data breaches to the main organization without undue delay (no later than 24 hours) from the time it first becomes aware of the breach.
An in-depth assessment of the data breach can help an organisation understand the risks posed by the data breach and how these risks can be addressed. When assessing the breach, consider the following:
- The circumstances of the data breach, including its cause and extent
- The types of personal data involved
- The number and groups of affected individuals
- Risks involved
- Whether external help is required
- Remedial actions which can be taken if deemed necessary
When evaluating risks posed by the data breach, consider the following:
- Sensitivity of the data involved
- Presence of mitigating factors (e.g. encryption)
- What happened to the data
- The nature of harm to the affected individuals (if any) Through the assessment, organisations should be able to conclude whether the data breach was unlikely or likely to result in causing significant harm to the affected individuals.
NOTIFY THE PDPC when significant harm or impact is likely or 500 or more individuals affected. Organizations should notify the PDPC as soon as practicable, no later than 72 hours from the time the organization has made its assessment. Organizations may send an email to notify the PDPC of the data breach.
NOTIFY AFFECTED INDIVIDUALS when significant harm or impact is likely Organizations should also notify affected individuals as soon as practicable. Notifications should include (but not be limited to) the following:
- Specific facts on the data breach
- Actions individuals can take
- Organisation’s contact details
Review and take action to prevent future breaches. This may include the following:
- Implementation/continuing efforts of the remediation actions
- Identification of areas of weakness and taking action to strengthen them
- Effectiveness of the organisation’s data breach response(s)
- Corrective actions to be taken
Having in place a data breach management plan is important as it will
enable organisations to respond swiftly in managing any data breaches
in a systematic manner. Organisations are encouraged to proactively
develop and implement a robust data breach management and response
plan, and to review the plan regularly to ensure it remains effective and
relevant as business operations evolve.