Do you know who holds your personal information? How reassured do you feel that your information is being managed in line with the General Data Protection Regulation (GDPR) principles underpinning your national data protection laws? Are you concerned about your data? Do you know how to check if your email address has been compromised in a data breach? Curious to find out? Follow the link here to this useful website, type your email address in the search bar and hit enter! (This isn't a phishing test!) Were you surprised by the results?
Don't make the headlines...
Information breaches happen all the time, this doesn't mean that every time there is an incident involving personally identifiable information that it will affect those whose information has been compromised. What's important is to have policies and procedures in place to first recognise that you've had a breach, and secondly have the in-house capabilities to triage the severity and mitigate the incident. We often tell our school clients that the occurrence of a breach is beneficial because, through recognising you've had a breach, you are demonstrating that the systems and controls you have in place are working.
We have all heard of the data breaches that make the news headlines, often involving high profile multinational corporations such as with the Facebook and Google data breaches during 2018. What the GDPR has done since its legislative release date in May this year, is raise awareness over individuals' rights towards their personal data and the consequential penalties should companies be found in breach of these rights. Subsequently, Supervisory Authorities (SA) around the globe are busy investigating incidents reported to them more than ever due to this greater awareness.
A breach investigation has multiple facets. You have to determine:
What information was put at risk?
Who will it impact and how?
How to manage the suspected impact and those individuals impacted?
But the SA also consider what the data controller, data processor did/did not do which led to that information being put at risk. Including:
What processes, controls, security are in place?
How were they controlled?
Who have they shared with, and what technical capabilities were in place to support these activities?
Was it a system error or failure? Or a malicious phishing attack for example?
Lack of training resulting in human error?
Was it simply the organisation's lack of a data protection culture which should be key within all data controller/processor's activities
If those who manage data on a day to day basis do not understand the intricacies that surround data processing or are not provided with suitable resources to manage personally identifiable information (or sensitive personal data), then the resulting outcome will always, eventually, lead to a data breach.
Our recent Breach Management webinar explored the considerations and key steps that a data controller, and or a data processor, should follow if they find themselves having to manage a personal data breach.
Breach Management: Policies, Processes and Procedures
It is important that all employees know and understand what a breach looks like, and that you have a clearly defined breach policy, procedure and log, so that a suspected breach can not only be quickly identified, but also, so that whoever is tasked with leading on the incident knows what is expected of them. Remember, there is never a good time to be informed of a suspected breach, so you need to ensure you are prepared, as your DPO and or DP lead may not always be available, and the guidance states that a ‘serious’ breach needs to be reported within 72 hours. Weekends and school holidays are no exceptions.
Some schools/businesses will completely shut down for the holidays, which funnily enough removes the potential hazard of human error (by far the most common reason breaches happen). However, your systems remain a target for malicious attacks, as we discussed in a previous blog on common cyber attacks in schools. Data protection and cyber security are closely linked, with cyber being at the forefront of updated data protection regulations. Schools need to have confidence that their IT infrastructure is securely configured with the resilience to react to sudden increases in load, loss of hardware, or services, and cyber attacks. 9ine's Cyber Defence Essentials Service provides access to organisational cyber posture evaluation. It is crucial that schools can evidence the susceptibility of both their users and their computer systems and services to malicious or unintentional cyber attacks. Understanding your current cyber posture is key to preventing or at least limiting the impact of a data breach.
Schools need to maintain continuity around their governance structures at all times. 9ine’s DPO Essentials package offers clients (amongst other advantages) the option to auto divert their DPO email accounts during certain downtimes, providing the data controller with the assurance that over periods of holidays or unexpected absence, the dedicated data protection email account continues to be managed.
What to look out for?
Imagine that moment….. You’ve been advised of a data breach, what do you do? What are your first thoughts, considerations and actions that start to form in your mind?
Don’t panic! What you have is a suspected incident that may, or may not, involve personally identifiable information, that may, or may not, be sensitive, that may, or may not have affected your systems and that may, or may not, be contained!
- Is it a student, teacher, or parents data; or is it information relating to external contractors who support the day to day running of the school or your student's wellbeing?
- Does it involve a lot of generic information, or conversely, a few very personal and highly sensitive files?
- Was it a cyber attack, or was information taken from the school premises without suitable controls or authorisation?
- Was it a paper file or an encrypted, password protected, two-factor authentication, mobile device?
- Did the data cross a national border?
- Where is the suspected breached data now? Who has it, and what do they intend to do with it?
- Will those whose details have been put at risk be impacted by phishing attacks, or ransomware?
- Will there be a concern or worry to the individual(s) involved? Will their privacy be infringed?
- What can be done to mitigate all of the above? What is in place to proactively respond to this suspected reported personal data breach?
When having to manage a suspected breach, it is easy to quickly start to feel overwhelmed. If you are prepared then you can fall back on your policies and procedures to help guide you through. Have key stages clearly defined, such as:
Log the incident (on your central breach log)
Gather information (evidence is key)
Containment / recovery
Risks / ongoing monitoring
Notification / Lessons learned
Tell your Breach Management Story
Ultimately you are trying to tell a story; you need to be able to clearly evidence that you are fully aware of what data you hold and that it is being processed in line with the 7 GDPR principles (the 7th principle being accountability). You will also need to have a clear record of what happened? This will include information such as: what was the incident; when did it happen; how was it identified; who reported it and when? How was it reported, and what immediate actions were taken? A single breach can have a multitude of possible storylines and endings; the only way you will know how to tell the story is by understanding the main characters and by acquiring as much information as possible. A breach log will ensure you stay on track and tell the whole story… the ending will depend on your journey and the characters that emerge along the way.
9ine 9ine 9ine, what's your emergency - How 9ine can support
9ine’s DPO Essentials is an annual service offering a professional, independent perspective when evaluating a breach. The service also provides access to a suite of education specific documentation and policies to evidence compliance with data protection law. We use our strong sectoral knowledge and evaluative expertise to provide feedback based on the assessed severity a breach, and to advise on the associated risks and recommended actions to be taken. If advised to report the incident to your Supervisory Authority, 9ine will ensure it supports any ongoing activity you will need to undertake.
9ine's Incident Response: Through our service desk, we have the expertise in place to respond to any data protection issues or cyber incidents you may have. Whether that’s a personal data breach, phishing or cyber attack, malware incident or SAR, we will triage and assess the severity of any threats free of charge - there is only a cost if you employ our services for undertaking the mitigating actions. Register your interest for the service here and one of our consultants will get in touch:
For more information on 9ine's security initiatives and how we support with reducing security threats in schools:
Watch our Webinar recording below.