Shhh... your data has been breached!
In the recent past, reporting of data breaches have been secretive instead of open communication with the users, regulators and other relevant stakeholders!
Approximately 150 million users of the Under Armour owned app MyFitnessPal have had their personal details leaked in a data breach, including usernames, email addresses and passwords. In a written statement issued on 29 March, Under Armour said that it became aware of the breach on 25 March, though it actually occurred in late February 2018.*
More than 92 million MyHeritage user accounts were compromised when a data breach occurred at the genealogy testing service website. Once again, the breach occurred in October 2017 but wasn't reported until the following June, when an unnamed security researcher informed MyHeritage's Chief Security Officer.*
Uber concealed a hack that affected 57 million customers and drivers worldwide (2.7 million users in the UK alone), the company has confirmed. The breach, which took place in 2016, was kept under wraps by the taxi-hailing firm, which paid hackers $100,000 (£75,000) to delete the data.*
Although there are many more data breach examples, the above three are sufficient enough to identify a pattern - organisations are not responding to breaches in ways that protect their customers (e.g. by taking rapid actions) and are not informing the regulator about the breach. Instead, they try to solve the issues by being secretive and controlling damage internally. But, in the modern age, an hour is more than enough to cause damage with the stolen customer data.
There is a popular belief that data is only breached when a system is hacked by a hacker with malicious intent. But, in reality, a breach can also occur within the organisation in many forms including:
deliberate or accidental action (or inaction) by staff or a contracted 3rd party
sending personal data to an incorrect recipient via email or file transfer mechanism
computing devices containing personal data being lost or stolen
public display of sensitive data in paper formats
alteration of personal data without permission and audit trail
loss of availability of personal data.
The pertinent issue for organisations of a data breach is not just minimising the reputation damage, but exercising an established an data security framework that includes policies with concise actions for each type of data breach, and timelines.
The policies, at the minimum, must include employee requirements, data leakage prevention (for both data-in-motion and data-at-rest), and end-to-end device encryptions. These being with scope, purpose and technical guidelines, and reporting requirements (internal and external).
When reporting a breach, it must be reported within 72 hours of the breach with the following details:
a description of the nature of the personal data breach
the categories and approximate number of individuals concerned
the categories and approximate number of personal data records concerned
the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained
a description of the likely consequences of the personal data breach
a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.*
To assess your data security framework, check out our GDPR Assessment. http://bit.ly/2voT3iC
*Source: TechWorld, ICO