Organisations need to protect and preserve their intellectual assets with vigilance in the face of increasing risk of data theft and loss. Not only is there the risk of financial and reputational damage when data is lost, stolen or compromised but in the new regulatory climate, serious breaches of personal data security now attract more severe penalties from the relevant regulators. The action appropriate to ensure that personal data is protected to a standard required by the Data Protection Act 1998 will vary from case to case (see the DPA’s Guidance on Employee Records, for example) but are likely to include:
- ensuring data security policies are up-to-date and adhered to consistently across the business;
- implementing physical security measures to prevent unauthorised access to personal data – this might include limiting access to certain areas of the building to select staff;
- portable/mobile devices should be protected using encryption software;
- tiered or subject-level access – so that only those who need to have access to particular data or information can actually get it;
- regular security testing – including penetration testing, testing for phishing, social-engineering, or for sophisticated ‘blended’ or ‘persistent’ threats.
Companies that adopt a cavalier approach to basic security provisions for their data are at risk of being fined heavily as and when trouble strikes. Given the harm and distress a data security breach can cause to your customers or your staff and your organisation, it is absolutely essential for companies to be seen to take steps to safeguard the data of others.
However, managing the technical aspects is only half the job. The manner in which an organisation responds to a breach can make all the difference in terms of its clean-up. Failures here may compound the damage. Mistakes and accidents happen but even long-time and dedicated customers can be driven away if breaches are not properly handled, especially repeatedly. Having an effective response plan can therefore make all the difference to the size and severity of the compliance failure. “There is a distinct difference between those organisations that are forced to adopt a ‘learn-as-they-go’ approach and those that are executing a plan that they have carefully developed, tested, and updated in advance”, says Tony Dearsley, Manager of the Computer Forensics team at Kroll Ontrack.
Once you are aware that you have a data breach incident on your hands, the first step is to contain the risk and stop it from spreading. For example, if a stolen laptop could contain system passwords it would be prudent to disable the user’s account to prevent network access. In the case of a network breach, you must quickly take the necessary actions to prevent the hacker from accessing other parts of the network. As Rupert Murdoch would probably now be willing to confirm, an immediate assessment must also be made to determine whether to notify the subjects of any data that has been or may have been lost or compromised, and all the right noises made through the company’s PR team.