1.0 Scope of this procedure
2.0 What is a Data Breach?
3.0 How does a data security breach happen?
- Loss of theft of data or equipment on which data is stored
- Inappropriate access controls allowing unauthorized use
- Equipment failure
- Human error
- Unforeseen circumstances such as a fire or flood
- Hacking attack
- ‘Phishing’ offences where information is obtained by deceiving the organization who holds it.
4.0 Process of handling a data breach?
4.1. Immediate gathering of essential information relating to the breach
- When did the breach occur?
- Where did the breach take place?
- How was the breach detected and by whom?
- What was the cause of the breach?
- What kind and extent of personal data was involved?
- How many data subjects were affected?
- Who needs to be made aware of the breach?
- Are there any methods to recover any losses and limit the damage the breach may cause?
The dedicated personnel may consider designating an appropriate individual / team (‘the coordinator’) to assume overall responsibility in handling the data breach incident, such as leading the initial investigation, informing relevant parties regarding the breach and what they are expected to do to assist in the containment exercise and the subsequent production of a detailed report on the findings of the investigation.
The coordinator may need to report and synchronize with different functional divisions / departments / units and escalate the matter to senior management so that remedial actions and executive decisions can be made as soon as possible.
4.2. Assessing the risk of harm
Each data breach will follow the risk assessment process below:
- The kind of personal data being leaked
- The amount of personal data involved and the level of sensitivity
- The circumstances of the data breach i.e. online or traceable
- The likelihood of identity theft or fraud
- Whether the leaked data is adequately encrypted, anonymized or otherwise rendered inaccessible, e.g. if passwords are needed for access
- Whether the data breach is ongoing and whether there will be further exposure of the leaked data
- Whether the breach is an isolated incident or a systematic problem
- In the case of physical loss, whether the personal data has been retrieved before it can be accessed or copied
- Whether effective mitigation / remedial measures have been taken after the breach occurs
- The ability of the data subjects to avoid or mitigate possible harm
- The reasonable expectation of personal data privacy of the data subject
4.3. Contacting the interested parties, containment and recovery
The following containment measures will be followed:
- Stopping the system if the data breach is caused by a system failure
- Changing the users’ passwords and system configurations to contract access and use
- Considering whether internal or outside technical assistance is needed to remedy the system loopholes and/or stop the hacking
- Ceasing or changing the access rights of individuals suspected to have committed or contributed to the data breach
- Notifying the relevant law enforcement agencies if identity theft or other criminal activities are or will be likely to be committed
- Keeping the evidence of the data breach which may be useful to facilitate investigation and the taking of corrective actions
4.4. Notification of breaches
4.5. Mitigation of possible future breaches
The review will take into consideration:
- Ongoing improvement of security in the personal data handling processes
- The control of the access rights granted to individuals to use personal data. Are principals “need-to-know” and “need-to-access” being adopted
- The adequacy of the IT security measures to protect personal data from hacking, unauthorized or accidental access, processing, erasure, loss or use
- Ongoing revision of the relevant privacy policy and practice in the light of the data breach
- The effective detection of the data breach. The keeping of logs and trails of access enabling early warning signs to be identified
- The strengthening of the monitoring and supervision mechanism of data users, controllers and processors
- Review of the ongoing training to promote privacy awareness and to enhance the prudence, competence and integrity of the employees particularly those who act as controllers and processors
- Review of this policy and procedures listed.