Markel

How to respond to a data breach

Data breaches can happen for a variety of reasons, from accidents to malicious attacks. If the worst happens, it pays to be prepared

Data breaches can happen to anyone - so be prepared
Data breaches can happen to anyone - so be prepared

Charities, like many 21st century businesses, have huge repositories of data – and leaks, either accidental or as a result of hacks, can be a legal and public relations nightmare.

If the worst happens and your charity’s data is compromised, there are steps you can take to minimise the fallout. Hans Allnutt, partner at DAC Beachcroft and head of their cyber and breach risk and breach response team, explains what you need to do to prepare for a data leak.

Practice your incident response

Planning your response to data breaches isn’t just good practice – it’s mandatory. "Part of regulatory guidance is that you have a plan in place," says Allnutt. "It’s not just good business practice but it’s actually regulatory practice to do so."

The ICO’s guidelines suggest using the process ‘Contain, Recover, Assess, Notify, Evaluate’.

"In the case of a misdirected email, containing the breach could be contacting the recipient, making sure that they’ve deleted it, they haven’t forwarded it on and they’re not going to use it," explains Allnutt. "In the context of a malicious attack on a server, containing the breach can be quite convoluted – you’ve found some malware or remote access malware on a server, and you have to get forensics analysis to work out where the holes are, and effectively shore up the electronics system."

Assessing your legal obligations in the event of a breach can be an involved process, he notes: "If you find a vulnerability on a computer, do you turn it off? Do you stop giving those services?  What’s your PR plan?"

Consider who you need to notify in the event of a breach. "Sometimes that’s driven by regulatory obligations, notifying the regulatory or data subjects – or it might be commercial partners," says Allnutt.

Once you’ve worked through your immediate response to the breach, you need to evaluate – "Work out what you did and whether you need to do anything else," says Allnutt. "A proper plan needs to be triaged, so that you’ve got the right people and it’s escalated at the right time, and that those people have a decision making function as well."

Ensure all levels of the organisation are prepared to deal with a data breach

Data protection isn’t just the preserve of the IT department – everyone within the organisation has a part to play. Similarly, in the event of a data breach, everyone working in the organisation needs to know their responsibilities, who to report to and how to escalate their response. "If the building services manager discovers over the weekend there’s been a theft, he needs to know who to tell and what to tell them in relation to lost data," says Allnutt.

A data protection culture needs to be established from the top down, he adds: "Cyber risk sits at the most senior level, with the CEO. You delegate technical cyber protection to IT, but implementing training requires the HR function; to fulfil your legal contractual obligations you’ll need your legal function. A proper breach response plan will pull in all those things."

Be open, honest and accurate

"If there’s one thing worse than having a breach it’s having a breach and not telling anyone about it, and then everyone finding out 18 months later," says Allnutt. Silence is not an option – so be ready to issue a holding statement as soon as possible. "There is an instant demand for facts – even if you don’t know the full picture, you have to say something. In this response plan you can have stock phrases ready to go – lists of public statements."

Be prepared to deal not just with the public, but with third parties who may be involved in a breach. "You may be holding confidential commercially sensitive information about fundraisers on behalf of a partner. If you lose that information, you’re going to have to tell the other party that they lost the data – how are you sending that message?"

Consider your public relations response

Although the basic framework for a charity’s response to a data breach is similar to the commercial sector’s, the reputational considerations are somewhat different "How you present yourself publicly around admissions of liability, errors and compensation will be different considerations in the charity space," says Allnutt. "If you say ‘We’ve lost your information, we’ll offer you compensation’, that shows you are an altruistic organisation – but for people that have donated to that charity, you’re handing their money out to people who have been affected."

Through practicing your response to a data breach, you can work out the specific nuances that will affect the message you’re trying to get across. Showing vision, clarity and confidence – and responding quickly – are vital. The longer you delay, the more chance a reporter will break the story. Getting out in front of it can save you massive reputational damage.

Markel is the sector's premier insurance company working with charities, community groups, trustees, social enterprises and care providers. To find out more please visit www.markeluk.com/charity

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in

Expert Articles: Risk Management

Advice on risk from Markel, a specialist insurance company working with charities, community groups, trustees, social enterprises and care providers.

A wonderful workplace for innovation: Independent Age

A wonderful workplace for innovation: Independent Age

Partner Content: Presented By Independent Age

Want to work for an agile, ambitious and flexible charity? We spoke to Independent Age about the organisation's culture and the new innovation role it's recruiting for.

Do you want to work for a small charity that thinks big?

Do you want to work for a small charity that thinks big?

Partner Content: Presented By CPotential

CPotential is recruiting for a new team of corporate, trusts, grants and individual giving fundraisers. We spoke to them about the team culture and what makes it a 'wonderful workplace'.

Safeguarding in the Third Sector

Safeguarding in the Third Sector

Partner Content: Presented By Markel

Safeguarding - the process of making sure that children and vulnerable adults are protected from harm - is a big concern for organisations in the third sector.

Wonderful Workplaces: Building a better world for children - Plan International UK

Wonderful Workplaces: Building a better world for children - Plan International UK

Partner Content: Presented By Plan International UK

Want to make real change happen? We spoke to Plan International UK about what it's like to work for the growing charity and the individual giving roles it's recruiting for.

Do you have your eye on the future workforce?

Do you have your eye on the future workforce?

Partner Content: Presented By Faculty of Occupational Medicine

Exclusive interview with Ernie Masser from Cass Business School about the CEO opportunity at The Faculty of Occupational Medicine and why it's such a rewarding role that will shape the future workforce.

ISM: Want to make a difference to the music sector?

ISM: Want to make a difference to the music sector?

Partner Content: Presented By ISM

Stephanie Collier at the Incorporated Society of Musicians (ISM) shares her insider insight into what it's like to work there and the roles they're recruiting for.

Reach more people, build stronger relationships and raise more for your cause

Reach more people, build stronger relationships and raise more for your cause

Partner Content: Presented By Lightful

What is it like to work at...Age UK Salford?

What is it like to work at...Age UK Salford?

Partner Content: Presented By Age UK Salford

Dave Haynes, chief executive at Age UK Salford, offers his insider insight into what it's like to work for the charity and the exciting roles it's recruiting for.

What is it like to work at...Barrow Cadbury Trust?

What is it like to work at...Barrow Cadbury Trust?

Partner Content: Presented By Barrow Cadbury Trust

Do you have what it takes to develop and direct the Fair by Design Change Programme at Barrow Cadbury Trust to help eliminate the poverty premium?

Harris Hill: What makes a 'wonderful workplace'?

Harris Hill: What makes a 'wonderful workplace'?

Partner Content: Presented By Harris Hill

We spoke to Faye Marshall, director of permanent recruitment and deputy CEO, Harris Hill - the charity recruitment specialist - about what makes a great place to work

Follow us on:
  • Facebook
  • LinkedIn
  • Twitter
  • Google +

Latest Jobs

RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners

Markel

Expert Hub

Insurance advice from Markel

Safeguarding in the Third Sector

Safeguarding in the Third Sector

Partner Content: Presented By Markel

Safeguarding - the process of making sure that children and vulnerable adults are protected from harm - is a big concern for organisations in the third sector.

Third Sector Logo

Get our bulletins. Read more articles. Join a growing community of Third Sector professionals

Register now