Site icon Timothy M Banks

Tips for handling a data breach like a pro: part one

Yesterday, I was lucky to present to a very engaged audience participating in LexisNexis Canada’s “How to Handle a Data Breach Like a Pro“.  Don’t forget to send your questions. We will be posting a Q&A shortly. No questions will be attributed, so don’t hold back!

In the meantime, here’s a recap of the first 3 of 10 Pro Tips. I’ll post 3 more next Wednesday and the final 4 the week after.

Pro Tip #1: Identify all applicable laws and incorporate them into your protocol

A data breach pro is going to map out all potentially applicable data breach laws as part of developing a breach protocol. There’s lots of noise about the Personal Information Protection and Electronic Documents Act (PIPEDA) – and for good reason! But Alberta’s Personal Information Protection Act (PIPA) is still around and could apply. Plus, if you are a service provider to a health information custodian or you are a custodian, there are provincial health information data breach laws to consider. All 50 U.S. states have laws that might apply if you are doing business with residents in those states. And, of course, don’t forget about the E.U. General Data Protection Regulation (GDPR) if you are providing goods and services to European residents or tracking them.

Pro Tip #2: Understand and document the relevant tests for breach reporting thresholds

One of the first things your Board or CEO is going to ask once the data breach is contained is – do we have to report? Breach reporting timelines are tight. Don’t wait for the breach to happen to understand the relevant tests. They are not all the same. Under PIPEDA, you will need to consider first whether the breach is a “breach of security safeguards” as defined in PIPEDA. Then you are going to have to consider whether there is a “real risk of significant harm” (RROSH). Not all laws are the same. No breach of safeguards is required under PIPA – as one example. In some non-Canadian laws, there are different obligations depending on the number of people affected. A bit of preparation when things aren’t in crisis mode will help you respond like a pro in the event of an emergency – maintaining the confidence of your Board and CEO.

Pro Tip #3: Develop and practice your breach response plan

Privacy Commissioners and breach coaches have been saying this for years. Really, they mean it. Your breach response plan should cover at a minimum the following six steps. These steps apply whether you are dealing with a high-tech or low-tech breach. I can prove it.

Step 1: Containment! Stop the breach from continuing.

Step 2: Identify what systems, processes and data are affected. Does the breach go beyond the initial containment perimeter? What data was lost or potentially subject to unauthorized access and disclosure?

Step 3: Evaluate the risks. What is the harm to the company, customers, suppliers, affected individuals, and/or employees?

Step 4: Evaluate legal and ethical obligations. Is there a mandatory breach reporting law? Is there a contractual obligation to notify a customer? Is it the right thing to do even if there is no legal obligation in order to mitigate negative effects on the company’s goodwill.

Step 5: Recovery. Once you have contained the breach and addressed the vulnerability, you can begin to bring systems and processes back “online”.

Step 6: Learning. What new processes, procedures and technology will prevent reoccurrence or improve resiliency?

Practice executing this plan in order to test whether there are gaps in understanding of obligations. Organizations with well-developed and well-practiced plans will mitigate organizational disruption and minimize legal costs compared to organizations that are unprepared.

Exit mobile version