Do You Know What to do if Your Organisation Suffers a Cyber Attack?
The ICO has published details of a security breach by an estate agent which led to the unauthorised access to the personal information of over 18,000 individuals over a two-year period. The agents were fined £80,000 but, as the breach occurred before the GDPR became enforceable, the fine was issued under the old legislation. Two of the aggravating factors, were the agent’s failure to report the breach until they were contacted by a hacker, almost 8 months after the breach had been identified, and their failure to contact the individuals affected to advise them of the risk of fraudulent activity based on the lost information.
Under the GDPR, the requirement to report breaches is far more robust than under the old law and any personal data breach must be reported to the ICO within 72 hours unless the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons” (Art 33 GDPR). In addition, there is a requirement for a business to properly assess whether the data subjects should be informed.
All organisations need to have a breach management policy which sets out how they will deal with personal data breaches and, equally importantly, they need to train their staff to ensure they know what action they should take if they have a breach.