Charities, like many 21st century businesses, have huge repositories of data – and leaks, either accidental or as a result of hacks, can be a legal and public relations nightmare.
If the worst happens and your charity’s data is compromised, there are steps you can take to minimise the fallout. Hans Allnutt, partner at DAC Beachcroft and head of their cyber and breach risk and breach response team, explains what you need to do to prepare for a data leak.
Practice your incident response
Planning your response to data breaches isn’t just good practice – it’s mandatory. "Part of regulatory guidance is that you have a plan in place," says Allnutt. "It’s not just good business practice but it’s actually regulatory practice to do so."
The ICO’s guidelines suggest using the process ‘Contain, Recover, Assess, Notify, Evaluate’.
"In the case of a misdirected email, containing the breach could be contacting the recipient, making sure that they’ve deleted it, they haven’t forwarded it on and they’re not going to use it," explains Allnutt. "In the context of a malicious attack on a server, containing the breach can be quite convoluted – you’ve found some malware or remote access malware on a server, and you have to get forensics analysis to work out where the holes are, and effectively shore up the electronics system."
Assessing your legal obligations in the event of a breach can be an involved process, he notes: "If you find a vulnerability on a computer, do you turn it off? Do you stop giving those services? What’s your PR plan?"
Consider who you need to notify in the event of a breach. "Sometimes that’s driven by regulatory obligations, notifying the regulatory or data subjects – or it might be commercial partners," says Allnutt.
Once you’ve worked through your immediate response to the breach, you need to evaluate – "Work out what you did and whether you need to do anything else," says Allnutt. "A proper plan needs to be triaged, so that you’ve got the right people and it’s escalated at the right time, and that those people have a decision making function as well."
Ensure all levels of the organisation are prepared to deal with a data breach
Data protection isn’t just the preserve of the IT department – everyone within the organisation has a part to play. Similarly, in the event of a data breach, everyone working in the organisation needs to know their responsibilities, who to report to and how to escalate their response. "If the building services manager discovers over the weekend there’s been a theft, he needs to know who to tell and what to tell them in relation to lost data," says Allnutt.
A data protection culture needs to be established from the top down, he adds: "Cyber risk sits at the most senior level, with the CEO. You delegate technical cyber protection to IT, but implementing training requires the HR function; to fulfil your legal contractual obligations you’ll need your legal function. A proper breach response plan will pull in all those things."
Be open, honest and accurate
"If there’s one thing worse than having a breach it’s having a breach and not telling anyone about it, and then everyone finding out 18 months later," says Allnutt. Silence is not an option – so be ready to issue a holding statement as soon as possible. "There is an instant demand for facts – even if you don’t know the full picture, you have to say something. In this response plan you can have stock phrases ready to go – lists of public statements."
Be prepared to deal not just with the public, but with third parties who may be involved in a breach. "You may be holding confidential commercially sensitive information about fundraisers on behalf of a partner. If you lose that information, you’re going to have to tell the other party that they lost the data – how are you sending that message?"
Consider your public relations response
Although the basic framework for a charity’s response to a data breach is similar to the commercial sector’s, the reputational considerations are somewhat different "How you present yourself publicly around admissions of liability, errors and compensation will be different considerations in the charity space," says Allnutt. "If you say ‘We’ve lost your information, we’ll offer you compensation’, that shows you are an altruistic organisation – but for people that have donated to that charity, you’re handing their money out to people who have been affected."
Through practicing your response to a data breach, you can work out the specific nuances that will affect the message you’re trying to get across. Showing vision, clarity and confidence – and responding quickly – are vital. The longer you delay, the more chance a reporter will break the story. Getting out in front of it can save you massive reputational damage.
Markel is the sector's premier insurance company working with charities, community groups, trustees, social enterprises and care providers. To find out more please visit www.markeluk.com/charity