Incident or Breach? Meanings and responses
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Good breach management and incident response systems form core aspects of a robust data protection framework. There is a wide range of ways to respond to a breach. In this week’s piece, I will highlight how to respond to breaches.
First, I must state that there is a difference between a breach and an incident. All breaches are incidents, but not all incidents are breaches. Only the privacy office, the IT team or the legal and compliance departments within the company can declare a breach based on some specific triggers.
Breaches are events that place the lives and freedoms of individuals at risks like identity theft, fraud and misrepresentation. In contrast, an incident is a situation which affects the confidentiality, integrity or availability of personal information and usually doesn’t lead to the loss of freedom. Most times, companies don’t have to report incidents to data protection authorities, but they should record the event for lessons.
How can companies prepare for data breaches?
Companies don’t have to wait for breaches to happen. It’s about when they happen, how prepared is the company and its staff for the event. Preparedness does not prevent incidents from happening, but it focuses on the people, process and technology that prevent a breach from happening. In other words, breach preparedness focuses on measures a company can take to respond when prevention fails.
First, training comes to play here, which is pretty straightforward and significant. Training exposes gaps in pre-incident and procedure plans. It creates ground for the security of customers, partners and employees. If the right personnel are trained about their duties when a breach does happen, it lowers the legal and notification costs that might occur as a result of the breach. Training holds a strong case in the role of the breach management schemes of the preparation phase of the data breach management procedure.
Much more than that, company stakeholders should determine business functions that require in-depth training. For example, when there is a breach in a particular bank, how should customer care handle incoming calls and emails? What should they say to disgruntled or affected customers?
Each function of the business must know what and how they will handle incidents once they occur. This training can take different forms, and the content must be customised to meet the various demands of the multiple functions of the business. It can be virtual or through office intranet.
With regards to training too, various departmental heads must know what to say to the press. The CEO of the bank in question must choose her words carefully to avoid adding fodder to litigations.
The response to a breach is usually complicated. However, a company that has positioned itself with the right trained staff, created the right process and acquired the right technological stack to handle various incidents will handle breaches and incidents with ease. Companies facing a potential deal with breaches detection, ensure that stakeholders collaborate and know their roles, investigate, ask their legal teams to conduct analysis, address reporting obligations, and come up with a way to recover from the situation.
There are critical areas that stakeholders must attend to broadly when there is a breach. When a breach happens, there is usually a colossal scampering for the right steps to take. Like I have said before in this space, preparation would help the company take the right steps and then focus on securing the operation of the business. Because there is a breach doesn’t mean that business operations should stop. A sound breach management methodology would maintain business continuity and prevent the company from running at a loss and delivering products and services to the customers.
The company should also put notification strategy into its breach response and the cost implications. Usually, companies can communicate via email, post or use social media platforms. The company should look for a cost-effective way to reach the affected customers.
And the final issue would be to focus on locating the vulnerabilities, fixing it immediately by working with the various functions of the business, primarily where a weakness existed, and work on the best way to strengthen the gaps.
These are no specific steps. However, companies must understand the difference between an incident and a breach and be prepared to handle violations when they do happen.