No company, big or small, is immune to a data breach. Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true. According to the Symantec SMB Threat Awareness Poll Global Results, 40 per cent of the data breaches in 2011 were at small to mid-sized companies.
Data breach response policies are essential for organizations of any size. A response policy should outline how your company will respond in the event of a data breach, and lay out an action plan that will be used to investigate potential breaches to mitigate damage should a breach occur.
Defining a Data Breach
A data breach is an incident where Personal Identifying Information (PII) is accessed and/or stolen by an unauthorized individual. Examples of PII include:
Step One - Breach Containment and Preliminary Assessment
A breach or a suspected breach of PII must be immediately investigated and contained. Since all PII is of a highly confidential nature, only personnel necessary for the data breach investigation should be informed of the breach. The following information must be reported to appropriate management personnel:
Step Two - Evaluation of the Risks Associated with the Breach
Once basic information about the breach has been established, management should make a record of events and people involved, as well as any discoveries made over the course of the investigation to determine whether or not a breach has occurred.
After the breach has been verified and contained, perform a risk assessment that rates the:
Step Three - Notification
Each jurisdiction has different provisions for reporting a data breach. In some jurisdictions, impacted customers must be notified before a certain amount of time has passed. Check with legal council or your representative at Axis Insurance Group regarding the regulations in your jurisdiction.
In addition to the affected clients, a company that has suffered a data breach is also encouraged to notify the appropriate Privacy Commissioner(s). In some jurisdictions, notification of the Privacy Commissioner is mandatory. In other jurisdictions, it is only recommended.
Step Four - Prevention of Future Breaches
The final step in the event of a data breach is to protect your company and your clients from the possibility of a future breach. Many times, this practice is as simple as reviewing internal policies and employee training practices. It is advised to perform an audit of all technology to determine the level of security in place. It may also be necessary to contact vendors and partners of the company to ensure that they have effective security policies in place.
We Can Help You Recover from a Data Breach
The four steps outlined in this article are based off of the recommendations made by the Privacy Commissioner in 2007.
At the Axis Insurance Group, we understand the negative effects a data breach can have at your company. Contact us today so we can show you how to recover from a breach and get your company back on its feet.
Do you know how to stay compliant in the event of a data breach? Download our Digital Privacy Act Guide for information on the steps you need to know.