How to Handle Breach Incidents Involving Personal Information

How to Handle Breach Incidents Involving Personal Information

Flavio Gerbino
by Flavio Gerbino
time to read: 9 minutes

Companies typically have sophisticated security incident procedures in place to handle all kinds of issues emerging from possible security events related to their IT environment. Many of those procedures do not consider the affected assets enough and are restricted to IT components. That’s why I have created a short overview on how to respond to and manage an information security incident with the primary focus on breach incidents involving Personal Information on paper or on IT systems.

Prerequisites

To be able to include the suggestions I am outlining in this article a company should already have established an appropriate security incident response and breach notification plan. This plan should consider the local legal and regulatory accounts as well as business and functional needs. A Risk Management System with appropriate risk measurement guidelines is as well an inevitable instrument that must already be in place.

Definitions of Important Terms

Here are some Data Security Incidents as examples to see the different focus compared to classic incident response which is more IT driven (not conclusive…)

Additional Tasks and Members for the Existing Incident Response Team in Case of Breach Incidents Involving Personal Information

To be ready to handle breaches with Personal Data involved an existing Incident Response Team should additionally be charged with the following tasks:

When an Incident includes the breach of Data Privacy the response Team must include additional representatives to assure a proper handling according with legal requirements (especially in cases involving employee fraud or misconduct)

The team should also include senior (management) members from the following departments, depending on the severity and characteristics of the incident

Handling of Data Security Incidents

The Action Plan should include the following simplified key steps (not conclusive):

  1. Preparative Assessment: As a preliminary duty for a Data Security Incident, the Incident Response Team should take the following appropriate preparation actions:
    1. Nominate an individual to investigate possible circumstances of the incident. This individual should bring experience and enough authority to conduct the initial investigation, document the findings in a written report and make recommendations to the Incident Response Team. Typically this person is a senior security representative (e.g. from the CSO Team/organization). From a Data Privacy point of view the following facts need to be checked (additionally to what is anyway being investigated as part of security incidents in any case):
      • The type of systems or files that were compromised (IT Systems, paper files or other)
      • The type of information involved (including whether any Personal Information is at risk and if so, the origin of such data)
      • The persons involved in or responsible for the breach.
    2. Consider whether any external resources are required for assistance. (Including law enforcement in the investigation, consult with outside legal counsel, or enlist other third-party assistance such a forensic analyst).
    3. Identify the need to assemble a broader team to deal with the Data Security Incident.
    4. Determine the need to report
    5. Detect the circumstances of the Security Incident.
  2. Risk Assessment: In the second step the type and amount of Personal Information at risk, the extent of the incident, the persons affected by the incidents and the risk of harm to individuals and the company should be assessed.
    • The understanding and awareness of following factors is necessary to evaluate the risk:
      • What type of Personal Information is involved?
      • What is the sensitivity of the information? Generally, the more sensitive the information, the higher the risk of harm. (A combination of Personal Information should be valued as more sensitive than a single piece of information. However sensitivity alone is not the only criteria in assessing risk, as expected harm to individuals is also extremely important.)
      • How many individuals are affected by the breach? Assessing the number of individuals affected will help you to estimate the severity of the problem and will be relevant in deciding whether or not to notify local privacy authorities.
      • With lost data, what protections were in place to protect the information at the time of the breach (e.g. encryption and was the Personal Information adequately protected).
      • Who is affected by the incident (employees, contractors, public, clients, service providers, other)
      • Can the Personal Information be used by third parties for fraudulent or otherwise harmful purposes.
      • Was the breach inadvertent or intentional
      • Is there a risk of further exposure of the Personal Information
      • If the Personal Information was stolen, can it be determined whether the Personal Information was the target of the theft.
      • Can the Personal Information be recovered
    • After having clarity about the above factors risk of harm to Individuals should be evaluated (Identify whether harm to individuals may result from the Incident):
      • If the data has been stolen, what is the potential risk of misuse?
      • What harm to the individuals could result from the breach?
        • Identity theft
        • Financial loss
        • Loss of business or employment opportunities
        • Humiliation, damage to reputation or relationships
    • After having a conclusion from the risk evaluation, the Incident Response Team will be able to decide whether notification to individuals and appropriate privacy authorities is required or indicated.
  3. Notification: The Legal Department should take responsibility for providing any required notice to governmental authorities, including authorities in other jurisdictions, if required. (If notification is required by law, the affected individuals should be notified as promptly as possible, consistent with both the terms of the applicable law and the need to conduct and complete any investigation. Even if notification is not required by law, notification is strongly recommended if the Data Security Incident presents a risk of fraud or identity theft to affected individuals.
  4. Prevention: A final incident report should include short and long term steps to prevent further incidents:
    • A security audit of security measures
    • A review of policies and procedures, necessary to reflect the lessons learned from the incident
    • Ban on bulk transfers of data onto removable media without adequate security protection
    • Secure couriers and appropriate tamper proof packaging in the transport of bulk data, where applicable to the breach situation.
    • Some Data Security Incidents should be immediately reported to senior Management :
      • Incident where data concerning a substantial number of individuals is involved or where highly sensitive data are concerned
      • Where incident is likely to be published in a national or international newspaper
    • Good reporting gives also overview of data security incidents and is required to document main issues and gaps that have been learned from the incidents. In addition, reporting ensures compliance with disclosure obligations, where applicable, as well as a timely and complete information to the Board.

Conclusion

Reading newspapers and seeing the increasing amount of incidents reports related to data privacy today should open your eyes and raise your awareness about the very important fact that privacy and data protection matters more than ever! Establishing appropriate technical, conceptional as well as organizational protection and safeguards to protect sensitive data is the first step of adequate attention to your data.

The constant care and due diligence during its lifecycle would be the second step. But apart from that you still need to be ready for emergencies in order to avoid bad surprises related to breach incidents involving personal information and sensitive data. This can be accomplished by considering the special characteristics and exceptional value of your data assets in your existing incident response procedures from the beginning to ensure an effective and professional handling in case of an incident.

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

You need support in such a project?

Our experts will get in contact with you!

×
OWASP Core Rule Set

OWASP Core Rule Set

Mark Zeman

Anthropomorphism

Anthropomorphism

Marisa Tschopp

Data Leakage Prevention

Data Leakage Prevention

Tomaso Vasella

Password Leak Analysis

Password Leak Analysis

Marc Ruef

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here