THIRD SECTOR PROMOTION

How to respond to a data breach

Markel Markel

Data breaches can happen for a variety of reasons, from accidents to malicious attacks. If the worst happens, it pays to be prepared

Data breaches can happen to anyone - so be prepared
Data breaches can happen to anyone - so be prepared

Charities, like many 21st century businesses, have huge repositories of data – and leaks, either accidental or as a result of hacks, can be a legal and public relations nightmare.

If the worst happens and your charity’s data is compromised, there are steps you can take to minimise the fallout. Hans Allnutt, partner at DAC Beachcroft and head of their cyber and breach risk and breach response team, explains what you need to do to prepare for a data leak.

Practice your incident response

Planning your response to data breaches isn’t just good practice – it’s mandatory. "Part of regulatory guidance is that you have a plan in place," says Allnutt. "It’s not just good business practice but it’s actually regulatory practice to do so."

The ICO’s guidelines suggest using the process ‘Contain, Recover, Assess, Notify, Evaluate’.

"In the case of a misdirected email, containing the breach could be contacting the recipient, making sure that they’ve deleted it, they haven’t forwarded it on and they’re not going to use it," explains Allnutt. "In the context of a malicious attack on a server, containing the breach can be quite convoluted – you’ve found some malware or remote access malware on a server, and you have to get forensics analysis to work out where the holes are, and effectively shore up the electronics system."

Assessing your legal obligations in the event of a breach can be an involved process, he notes: "If you find a vulnerability on a computer, do you turn it off? Do you stop giving those services?  What’s your PR plan?"

Consider who you need to notify in the event of a breach. "Sometimes that’s driven by regulatory obligations, notifying the regulatory or data subjects – or it might be commercial partners," says Allnutt.

Once you’ve worked through your immediate response to the breach, you need to evaluate – "Work out what you did and whether you need to do anything else," says Allnutt. "A proper plan needs to be triaged, so that you’ve got the right people and it’s escalated at the right time, and that those people have a decision making function as well."

Ensure all levels of the organisation are prepared to deal with a data breach

Data protection isn’t just the preserve of the IT department – everyone within the organisation has a part to play. Similarly, in the event of a data breach, everyone working in the organisation needs to know their responsibilities, who to report to and how to escalate their response. "If the building services manager discovers over the weekend there’s been a theft, he needs to know who to tell and what to tell them in relation to lost data," says Allnutt.

A data protection culture needs to be established from the top down, he adds: "Cyber risk sits at the most senior level, with the CEO. You delegate technical cyber protection to IT, but implementing training requires the HR function; to fulfil your legal contractual obligations you’ll need your legal function. A proper breach response plan will pull in all those things."

Be open, honest and accurate

"If there’s one thing worse than having a breach it’s having a breach and not telling anyone about it, and then everyone finding out 18 months later," says Allnutt. Silence is not an option – so be ready to issue a holding statement as soon as possible. "There is an instant demand for facts – even if you don’t know the full picture, you have to say something. In this response plan you can have stock phrases ready to go – lists of public statements."

Be prepared to deal not just with the public, but with third parties who may be involved in a breach. "You may be holding confidential commercially sensitive information about fundraisers on behalf of a partner. If you lose that information, you’re going to have to tell the other party that they lost the data – how are you sending that message?"

Consider your public relations response

Although the basic framework for a charity’s response to a data breach is similar to the commercial sector’s, the reputational considerations are somewhat different "How you present yourself publicly around admissions of liability, errors and compensation will be different considerations in the charity space," says Allnutt. "If you say ‘We’ve lost your information, we’ll offer you compensation’, that shows you are an altruistic organisation – but for people that have donated to that charity, you’re handing their money out to people who have been affected."

Through practicing your response to a data breach, you can work out the specific nuances that will affect the message you’re trying to get across. Showing vision, clarity and confidence – and responding quickly – are vital. The longer you delay, the more chance a reporter will break the story. Getting out in front of it can save you massive reputational damage.

Markel is the sector's premier insurance company working with charities, community groups, trustees, social enterprises and care providers. To find out more please visit www.markeluk.com/charity

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in

Expert Articles: Risk Management

Advice on risk from Markel, a specialist insurance company working with charities, community groups, trustees, social enterprises and care providers.

What is it like to work at Co-op?

What is it like to work at Co-op?

Partner Content: Presented By Co-op

Rebecca Birkbeck, director of community and shared value, tells us about what it's like to work at Co-op and the member pioneer co-ordinator role she's recruiting for.

Charity property: could you be entitled to a huge VAT saving?

Charity property: could you be entitled to a huge VAT saving?

Partner Content: Presented By Markel

When a property is being constructed, VAT is charged at the standard rate. But if you're a charity, health body, educational institution, housing association or finance house, the work may well fall into a category that justifies zero-rating - and you could make a massive saving

How to get the most from your role

How to get the most from your role

Partner Content: Presented By NFP Consulting

Paul Nott, principal consultant at NFP Consulting, offers advice to help you be the best charity professional you can be.

What is it like to work at Canine Partners?

What is it like to work at Canine Partners?

Partner Content: Presented By Canine Partners

Megan Knight, HR co-ordinator at Canine Partners, tells us about the team culture and exciting director of marketing and income generation career opportunity currently available.

Survey: How effectively can you manage your spend?

Survey: How effectively can you manage your spend?

Partner Content: Presented By Soldo

As a not-for-profit you need to manage your spending but how effectively can you actually keep an eye on it?

What do you think makes a great charity recruiter? Have your say and win £150 Amazon voucher!

What do you think makes a great charity recruiter? Have your say and win £150 Amazon voucher!

Partner Content: Presented By Harris Hill

Voice your opinions in Harris Hill's recruiter perceptions survey and be in with the chance to win £150 Amazon voucher.

Jobseekers are most active in January, says Third Sector Jobs

Jobseekers are most active in January, says Third Sector Jobs

Partner Content: Presented By Third Sector Jobs

Jobseekers in the third sector apply for more jobs in January than any other month of the year, according to data from Third Sector's specialist job board, Third Sector Jobs.

Who's really interested in closing the funding gap?

Who's really interested in closing the funding gap?

Partner Content: Presented By The Good Exchange

The Good Exchange's online matching platform simplifies the grant application process

5 benefits of using white label donation platforms

5 benefits of using white label donation platforms

Partner Content: Presented By iRaiser

The digital revolution has transformed everything we do so it's not surprising that it's also affected the way that we donate our money.

What is it like to work at...JDRF?

What is it like to work at...JDRF?

Partner Content: Presented By JDRF

James Elliott, director of fundraising at JDRF, the type 1 diabetes charity, tells us about what it's like to work for the charity and the head of philanthropy role it's recruiting for.

Follow us on:

Latest Jobs

RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners

Markel

Expert Hub

Insurance advice from Markel

Charity property: could you be entitled to a huge VAT saving?

Charity property: could you be entitled to a huge VAT saving?

Partner Content: Presented By Markel

When a property is being constructed, VAT is charged at the standard rate. But if you're a charity, health body, educational institution, housing association or finance house, the work may well fall into a category that justifies zero-rating - and you could make a massive saving

Third Sector Logo

Get our bulletins. Read more articles. Join a growing community of Third Sector professionals

Register now