Yesterday, I was lucky to present to a very engaged audience participating in LexisNexis Canada’s “How to Handle a Data Breach Like a Pro“. Don’t forget to send your questions. We will be posting a Q&A shortly. No questions will be attributed, so don’t hold back!
In the meantime, here’s a recap of the first 3 of 10 Pro Tips. I’ll post 3 more next Wednesday and the final 4 the week after.
Pro Tip #1: Identify all applicable laws and incorporate them into your protocol
A data breach pro is going to map out all potentially applicable data breach laws as part of developing a breach protocol. There’s lots of noise about the Personal Information Protection and Electronic Documents Act (PIPEDA) – and for good reason! But Alberta’s Personal Information Protection Act (PIPA) is still around and could apply. Plus, if you are a service provider to a health information custodian or you are a custodian, there are provincial health information data breach laws to consider. All 50 U.S. states have laws that might apply if you are doing business with residents in those states. And, of course, don’t forget about the E.U. General Data Protection Regulation (GDPR) if you are providing goods and services to European residents or tracking them.
Pro Tip #2: Understand and document the relevant tests for breach reporting thresholds
One of the first things your Board or CEO is going to ask once the data breach is contained is – do we have to report? Breach reporting timelines are tight. Don’t wait for the breach to happen to understand the relevant tests. They are not all the same. Under PIPEDA, you will need to consider first whether the breach is a “breach of security safeguards” as defined in PIPEDA. Then you are going to have to consider whether there is a “real risk of significant harm” (RROSH). Not all laws are the same. No breach of safeguards is required under PIPA – as one example. In some non-Canadian laws, there are different obligations depending on the number of people affected. A bit of preparation when things aren’t in crisis mode will help you respond like a pro in the event of an emergency – maintaining the confidence of your Board and CEO.
Pro Tip #3: Develop and practice your breach response plan
Privacy Commissioners and breach coaches have been saying this for years. Really, they mean it. Your breach response plan should cover at a minimum the following six steps. These steps apply whether you are dealing with a high-tech or low-tech breach. I can prove it.
Step 1: Containment! Stop the breach from continuing.
- High-tech example: Your encryption key has been accessed. Stop all access to the servers containing the encrypted data.
- Low-tech example: An employee misdirected an email outside of the organization. Stop the useless attempts to recall the data. Instead, try direct contact to attempt to get cooperation to contain the data. In an extreme case, legal proceedings might be required.
Step 2: Identify what systems, processes and data are affected. Does the breach go beyond the initial containment perimeter? What data was lost or potentially subject to unauthorized access and disclosure?
- High-tech example: How was the encryption key accessed? Was it on the same server as other data? What was the path of access? Are other servers affected?
- Low-tech example: What was in the email? Were attachments password protected or encrypted? Was this the only email misdirected or the only one that the employee noticed?
Step 3: Evaluate the risks. What is the harm to the company, customers, suppliers, affected individuals, and/or employees?
- High-tech & low-tech examples: What data was affected or potentially affected? How could this affect stakeholders?
Step 4: Evaluate legal and ethical obligations. Is there a mandatory breach reporting law? Is there a contractual obligation to notify a customer? Is it the right thing to do even if there is no legal obligation in order to mitigate negative effects on the company’s goodwill.
- High-tech & low-tech examples: What laws apply? What contractual obligations might apply? Even if there is no legal obligation, will the loss of trust from a revelation outweigh the benefits of not reporting/notifying affected individuals?
Step 5: Recovery. Once you have contained the breach and addressed the vulnerability, you can begin to bring systems and processes back “online”.
- High-tech example: Make sure the encryption key cannot be accessed through the same or similar vulnerability further unauthorized access. Re-encrypt using a new key and bring the systems back online.
- Low-tech example: Ensure the employee has removed the email address from any “autocomplete”. Ensure procedures are followed to password protect/encrypt sensitive information.
Step 6: Learning. What new processes, procedures and technology will prevent reoccurrence or improve resiliency?
- High-tech example: Examine the network architecture to identify whether additional technologies can be implemented to harden security.
- Low-tech example: Consider using email scanning technologies to scan for sensitive information leaving the network and delay sending or require the employee to reconfirm.
Practice executing this plan in order to test whether there are gaps in understanding of obligations. Organizations with well-developed and well-practiced plans will mitigate organizational disruption and minimize legal costs compared to organizations that are unprepared.