The ICO identifies four elements that should be applied as part of any breach management plan and includes:-
Containment and recovery
A breach will require us to provide an initial response to investigate and contain the situation but we will also need to adopt a recovery plan to include damage limitation, where the breach is of a serious nature.
Examples of the impact of a loss or abuse of personal data from us could include witnesses being placed at risk of physical harm or intimidation as a result of an ASB case, offenders being placed at risk from the public in respect of MAPPA data, exposure of the addresses of women at risk of domestic violence. While these would be considered serious security breaches, others may be less serious, such as a rent statement going to the wrong address, but could still cause reputational damage and a loss of confidence for the mutual and individuals still have the right to be protected from this harm as well. In addition to the effects on an individual, the reputation and prosperity of our Mutual can also be seriously damaged by any security breaches.
It is therefore important that security measures are in place to ensure that if personal data is accidentally lost, altered or destroyed; it can be recovered to prevent any damage or distress to the individuals concerned.
Once a breach has been established, the following criteria should be used to determine who needs to be informed of the breach and what will be required to assist in the containment exercise. E.g. Isolate or close a compromised section of the network, finding a lost file or piece of equipment, changing door access codes.
High Risk – These will be situations where the potential for distress is high, there is financial loss and the information is of a sensitive nature, or there is the potential that a number of people and other organisations will be affected. These must all be reported to the Strategic Management Team.
Medium Risk – This may be situations where the information is personal or sensitive personal information that cannot cause any loss or damage and is contained within the organisation. These must all be reported to the Strategic Management Team.
Low Risk – This may be situations where personal or confidential information has been shared within the business and the situation is therefore contained. These must all be reported to the appropriate Director.
Once the risk category has been determined, the next stage is to:
Establish if there is anything that can be done to recover any losses and limit the damage the breach can cause e.g. physical recovery of equipment plus use of back up tapes to restore lost or damaged data, training staff to recognise when someone tries to use stolen data to access accounts.
Inform the Police (where appropriate).