Any type of data breach, whether due to an external hacking incident or an internal staff error, is a significant issue that needs immediate attention. A key aspect of the legal requirements surrounding a data breach is to demonstrate that your business or organisation takes the issue very seriously and is proactively seeking to not only protect any individuals who may be affected but is also taking active steps to improve systems and processes quickly to prevent a similar issue occurring again.
Communications following a data breach, both internally and externally, need to be carefully managed to convey these key messages effectively. In the immediate aftermath of a breach the most important thing to establish, as quickly as possible, is exactly what data has been compromised and the number of individuals affected.
You need to focus on confirming exactly what has happened and how any risks created can be mitigated, prepare your statement and reassure your customers and employees that you are in control of the situation. Knowing precisely what you are dealing with is key in the early stages to allow you to manage the next steps around communication. Whilst it is important to act without delay, don’t feel that you need to rush to make available information about a data breach incident until you have been able to verify it. Internally, communications need to take a structured approach to support a swift investigation and establish exactly what data has been compromised and to what extent.
Under current laws there is no mandatory requirement to notify the regulator, the Information Commissioner’s Office (ICO), or the individuals affected. However changes to the data protection laws, which will come into effect within the next 12 months, will require any business that experiences a data breach to report it to the ICO within 72 hours of becoming aware of it, and then to notify affected individuals if the breach is likely to impact on their rights and/or freedoms. In turn, this will mean that having a rapid response approach to breaches will become even more critical in the near future.
Once you’ve determined which legal requirements you are required to fulfill regarding notifying the ICO and affected individuals, and whilst ensuring you are not disclosing any confidential information, key messages to be relayed publicly should be kept short and aim to include:
- any reassurances you can give regarding how serious the breach is
- general information you can give about what type of data is affected
- advice to individuals on how to prevent identity fraud which could occur as a result of using the information which may have been compromised
This information should only be issued in a manner which does not impact on any ongoing investigation into the incident itself or any attempts to further protect systems and data following the breach. However, if you are able to confirm that no payment related data, or medical or health related data is involved, this can be a useful message to begin reassuring the public.
You should also provide information regarding the communication that the affected individuals can expect from your business following the breach. Where possible, share security assurances such as confirming that you won’t be contacting any of your employees or customers via email or phone asking for passwords or account details in the coming weeks. This will provide reassurance to your community; it shows that you care about their individual safety and that you are working towards a solution. If personal passwords have been compromised, sharing details of how users can change their passwords is also a good place to start.
Finally, it’s worth bearing in mind that it’s not just the breach that needs your attention during the immediate incident response phase, but also the channels of communication you use to contact the affected individuals to educate and inform them about the situation. It’s important to think about how best you can ensure that any messages surrounding the data breach efficiently reach those who may be affected. In addition to a press statement, you should also consider issuing information to your customers and employees either via an email newsletter, by post, or even a banner and news article on your website homepage. This will ensure that the message reaches anyone affected as quickly and as transparently as possible.
Emma Roe, Partner and Head of Commercial at Shulmans LLP