Data breaches—What would you do?

Data breaches—What would you do?

You get a call, there has been a data breach on some of your most sensitive data.

What is your first thought? Your first action? If this all seems quite daunting, you have a plan but are not sure of what your first steps would be, or you do not have a plan at all, then you are not alone.

Tech consultant Adriana Linares highlighted “lawyers get complacent” when it comes to their data, believing ‘nobody’s going to come after me’. However, PricewaterhouseCoopers found in at 2017 survey that 60% of law firms reported an information security incident between 2016-2017. With the number of reported breaches rising (not withstanding those unreported), it is only a matter of time before you may experience a breach.

At the latest Cordery Breach Navigator event Jonathan Armstrong and André Bywater partners at Cordery stressed that ‘data breaches are not an if, but a when’ for companies. For an opportunity to know how people might respond in a breach, LexisNexis and Cordery invited individuals from different companies to participate in a breach scenario based on a real life event.

The scenario highlighted some interesting facts that you may not have considered.

From randomising the ‘data breach response teams’ where no one was acquainted to replicate how a team will most likely be put together in an actual company, to setting time limits replicating the urgency of reporting to the Information Commissioners Office (ICO) within a 72-hour window, it was clear that having a pre-planned data breach response plan is vital.

Participants noted how the stress made it hard to think clearly and the experience was a rollercoaster of emotions, trying to deal with each issue and locate information.

How would you respond?

Some teams were quick to rally together. Some teams took time to deliberate the facts. However, there were some key decisions made by all teams which could be beneficial to you when preparing and responding to a data breach.

The key learning from the Cordery event was: Be prepared and stay prepared.

Reiterating Armstrong and Bywater, a breach is not and if, but a when. Having a well thought out, simple and rehearsed plan is crucial.

Not only does this plan take the pressure off when a breach occurs, but it could save you time and money. As identified in the scenario session, knowing what supplies, insurance, etc you may need for a breach and purchasing them early is often cheaper. Your board has more time to understand what you need and why, putting the financial backing behind it. As well as this, identity theft alert  companies will become aware of your breach, and often raise their prices—so it is good to plan ahead.

Having a solid plan also ensures you can report your breach within the 72-hour window necessary for the ICO. By delegating out different tasks to dedicated roles your team can easily pick up a section of work and get the job done in the most efficient way.

Key things to consider when creating a response plan

When putting your data breach response plan together, some key things to consider:

  • What is your first step?
  • Do you have a communication plan in place—such as an FAQs list, training for HR staff or general staff who may interact with the public and/or your clients
  • Are your data breach response team educated? Do they know what each step means and what to do next? Have they rehearsed?
  • Is your board on board? The board will be the ones driving your plans, with budget and decision making. By having them aligned with each step of your plan you can ensure it will work efficiently
  • Do you cover multiple jurisdictions? If so what do you need to do to ensure all teams across different time zones and language barriers can work together

There are many other things to consider, as outlined in LexisPSL practice notes such as Data breaches—GDPR—overview, Data breaches—GDPR—overview and Managing a personal data breach—process flowchart—GDPR.

Understanding and identifying a data breach can be complex, let alone managing one. However, tools such as Cordery Breach Navigator make the data breach process simple and are here to help.

Cordery Breach Navigator is the only solution that combines legal and compliance expertise with intelligent workflows to help data protection professionals deliver the best outcomes for their business and reputation.

Basically, all fears around working out your next steps, whether you are responding correctly and running through your plan can be helped by one tool. From breach notification and risk assessment to report drafting and an investigation stage, Cordery Breach Navigator guides you through all process of a breach from start to finish—removing the need for stress and panic.

‘What is your first thought? Your first action?’ following a data breach, it should now be simple.

For more information and a free demo of Cordery Breach Navigator, click here.

Related Articles:
Latest Articles:
About the author:

Hannah is one of the Future of Law blog’s digital and technical editors. She graduated from Northumbria University with a degree in History and Politics and previously freelanced for News UK, before working as a senior news editor for LexisNexis.