How to deal with a data breach in your business

The media is buzzing about the biggest data breach in SA. As these developments have shown, data breach can have a severe impact on your ability to do business, and it can tank your reputation.
Have you thought about how secure your company’s data is? Or what you would do if there was a data breach?
Would you be able to keep doing business?

If you haven’t thought about it yet, don’t panic! We’ve started thinking about it on your behalf.

Here are the steps that I think you should take if you have a security breach, whether it’s physical or digital:

Before the data breach

Take the time to create and think about what you should do if you have a security breach (now while you don’t have it). In the heat of the moment you often won’t make good decisions so create a policy and procedure where you have thought about ,and researched, what you should do. This the first thing the Regulator will ask for.
But there is no point in just having a policy and procedure without making it part of your company’s way of doing business. The law (and common business sense) requires that you train your staff. You need to make sure that your staff knows how to recognise a breach, who to report it to and how to preserve evidence. Check out this policy training tool our friends at Compliance Online came up with.
Make sure your staff understand that they won’t get in trouble if there is a breach, unless they are stealing the information or if they know of a breach and they don’t report it. It is important to create an environment that fosters transparency. If they think they will get fired, they will keep quiet about the breach.
Let’s be realistic. Chances are that a breach will happen. So what then?

  1. Don’t panic

Just get the facts. You need to know when, who, how many, where, is the breach finished (it could still be happening), what can you do to fix it, what can other people do to fix it?

  1. Tell a friend

You may not be believed if it is just you (maybe YOU did it) so call someone and get them to witness it too.

  1. Decide on who you are going to tell and when

For example, you may notify the Information Regulator immediately, but you might delay notifying your clients as the security flaw still exists and you don’t want other people to exploit it (until you have fixed it).

  1. Don’t ignore it

No-one trusts someone who gets ‘outed’. If you know of the breach you need to be upfront about it. Keeping it secret normally does way more reputational harm, than letting everyone know as soon as you can (and waiting also increases the chances that your clients suffer more harm).
Learn from the experience. The only way of doing that is to get to the root cause of the breach. Don’t just ask what happened. Be sure to get to how and why it happened. Have a look at this analysis of the Equifax breach in America for a handy case study.

  • Do a debriefing session. What could you have done better? Is there a way you should have reacted? Should it be mandatory to contact a public relations firm if this happens? Could you contact everyone in an emergency?
  • Go back to your policy and change it, now that you have learnt something new. If necessary change team members and communication methods.
  • Go back to your analysis of your personal information and how you secure Is there something you need to change?
  • If you did not pick up the security breach (for example if your client told you about it) how do you avoid that in the future? What steps can you take to make sure you know about a security breach sooner?

Need more help? Get in touch!
 
 

2018-03-15T10:25:33+00:00By |Compliance and risk management|

About the Author:

Paul Esselaar
Paul is the wise old man in the company and a wizard at coming up with innovative solutions to legal problems. He has been an attorney since 2001 and has a Masters in Electronic Law and Commercial Law. In 2011 Paul set up his own firm, Esselaar Attorneys (it is still going strong). It was around this time that he met Elizabeth at an over-crowded session on the Consumer Protection Act. They both noticed that the other was quite vocal on the subject – the rest, as they say, is history. Paul specialises in Consumer Law, Electronic Law and the Protection of Personal Information Act. He wrote A Guide to the Protection of Personal Information Act with Elizabeth. Paul likes climbing mountains, turning phrases into songs and pushing Elizabeth’s buttons. He often (intentionally) pushes clients’ buttons too, but sometimes that needs to be done before real change can happen. Want to find out more about Paul? Find him on LinkedIn or contact him on paul@novcon.co.za or (021) 481 1835.