Data Security Breach Response Plan

Monday, May 15, 2017

The Current Law

In the modern world, data security breaches are becoming more and more the norm rather than the exception and therefore more and more of a problem for businesses. The Data Protection Acts 1988-2003 impose obligations on data controllers to take “appropriate security measures” to protect the security of their data. Companies should ensure they comply with this obligation as the disruption, publicity and brand damage that can be caused from a breach is potentially significant. 

Sample Response Plan

The biggest problem with data security breaches for many companies is the lack of a response plan on how to deal with the breach. In the event of a breach, a company should take the following general steps:

  1. Consult your company’s Security Breach Management Plan. This is a clear, pre-prepared plan setting out the initial and immediate processes that should be put in place to secure systems and prevent further damage being caused by the breach. 
  2. Contact the pre-assigned Response Team.When a data breach occurs, a pre-designated response team should be ready to act. 
  3. Identify what breach has occurred and take appropriate steps. Any response should be a full company response so that every part of the company is working in sync. 
  4. Consider your notification requirements. The Data Protection Commissioner published a guideline, Personal Data Security Breach Code of Practice, on 10 July 2010 which sets out a data controller’s notification obligations. If there is any doubt, the Code states that the data controller should report the incident to the Office of the Data Protection Commissioner.
  5. Consider the Public Relations implications and your response (if any). There are currently no requirements for data controllers to notify affected data subjects of a breach but companies should consider how they deal with informing those affected. 
  6. Record all actions taken. Keeping a record of every part of response to a data breach can result in the gathering of vital information for the business for dealing with future breaches.
  7. Review the outcome of the breach and the effectiveness of your response. After every breach, an assessment should be completed on the effectiveness of the response and where improvements can be made.
  8. Plan on how such a beach can be avoided in the future. A detailed review of the breach, the response, and the final assessment and using the information to plan for the future is often the best form of defence to future data breaches.

Forthcoming Legislative Changes on Notification Requirements

From 25 May 2018, the General Data Protection Regulation will result in stricter obligations around data security and also more onerous notification requirements for data controllers. Article 33 of the GDPR will introduce an obligation to report all breaches to the Data Protection Commissioner “without undue delay” but not later than 72 hours after having become aware of it. Notification will not be required however where the breach is unlikely to result in a risk to the data subjects but notification may be required to be made directly to data subjects in certain circumstances. 

This article was written by Finín O'Brien, Solicitor, Ronan Daly Jermyn