After a year of disruption, the growing pains of cybercrime are becoming gradually more a nuisance, and a drama, for businesses says Dan May,Commercial Director at @ramsac_ltd.
With swells of information online, and practical resources, it may be easier to identify a crime, but it’s not always obvious what the proper response or sanction should be. When it comes to data protection and operational compliance, authorities like the Information Commissioners Office, or ICO, have all noticed a pattern of confusion surrounding incident management. Businesses, apparently, aren’t sure how they can combat cybercrime.
The Information Commissioner’s Office recently revealed that nearly a third of the total 500 reports of data breaches are unnecessary, entirely redundant, or fail to meet the minimum threshold of a GDPR personal data breach. This comes as many firms attempt to ready themselves for changing GDPR (General Data Protection Regulation) compliance; with this evolving compliance, there is a growing level of shared misunderstanding when it comes to appropriate incident management under data protection regulation.
One growing trend, ‘over-reporting’ is perhaps the most common reaction to perceived breaches against a company. Whilst this is mostly driven by honesty and transparency, clearing up misconceptions surrounding GDPR and data breaches should help businesses remain competitive by avoiding risky or costly penalties.
Over reporting is not a strategy. It’s the height of this confusion, a kind of scattered reaction, or misunderstanding about how to control a data breach. Under GDPR compliance, which covers European territories and beyond, it is a matter of strictest compliance to officially report compromises to your stored data. Reporting this is also considerably more important than a kind courtesy for your employees, but it can regulate the collection, movement, and storage of personal information, which can thwart cybercrime.
As captured by the General Data Protection Regulation, a personal breach can be understood as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (captured in Article 4, definition 12).
Importantly, not all ‘breaches’ are equal in severity. Therefore, not every incident needs to be officially reported. Any compromise that falls outside of the above definition, or where the severity represents a low risk, then action isn’t required. The goal for businesses should be clarifying whether action is officially required or not for each scenario of breach.
It is good practice to evaluate incidents and cases individually. Start by determining the next actions based on the severity, or compromise, of each breach. Some breaches may only affect or inconvenience the role of a single employee, whereas larger compromises can impact so much more.
Any business that suffers a breach should plan to formally document what happened and any next actions, including whether it was reported or if it failed to meet the criteria.
What needs to be officially reported?
Compliance isn’t easy. When businesses fail to properly respond to the ICO’s request for information, typically by misreporting with inaccurate data, then the risk for penalties or incompliance is only heightened. Incident management can – and should – be anticipated as part of a strategy for handling future breaches. Every business, in conjunction with their HR department, should work to identify the common risks and by understanding the best action to rectify (or manage) the incident.
Refer to the ICO’s data breach reporting assessment for the kinds of information required following a breach. Your investigation should match their expectations for the depth of information supplied. The ICO expects you to document from the breach discovery to management of its effects, and following actions.
Failure to respond properly to data breaches, under the GDPR, has a single outcome: penalties. The role of data protection cannot be underestimated. Compliance with GDPR can define how your operation does business in the faraway markets under data protection governance.
How soon should a breach be reported?
All businesses are responsible for identifying, and responding to, breaches under data protection. Not only should businesses aim to have the proper and proportionate controls in place to promptly detect, and rectify, a breach, but they should report any compromises within 72 hours to the supervisory authority (which is summarised in Article 33). One of the most common oversights about compliance with GDPR is that this mandatory reporting period accounts for 72 working hours – a breach, on the contrary, should be controlled within 72 hours from the moment of discovery.
If an employee or the public is involved by unauthorised data breaches, those affected should be appropriately notified immediately and sensitively. This will allow those affected parties an opportunity to take precautions and guard themselves from any fallout.