Data breach response policies are essential for organizations of any size. A response policy should outline how your company will respond in the event of a data breach, and lay out an action plan that will be used to investigate potential breaches to mitigate damage should a breach occur.
Defining a Data Breach
A data breach is an incident where Personal Identifying Information (PII) is accessed and/or stolen by an unauthorized individual. Examples of PII include:
- Social insurance numbers
- Credit card information (credit card numbers – whole or part; credit card expiration dates; cardholder names; cardholder addresses)
- Tax identification information numbers (social insurance numbers; business identification numbers; employer identification numbers)
- Biometric records (fingerprints; DNA; retinal patterns and other measurements of physical characteristics for use in verifying the identity of individuals)
- Payroll information (paycheques; paystubs)
- Medical information for any employee or customer (doctor names and claims; insurance claims; prescriptions; any related personal medical information)
- Other personal information of a customer, employee or contractor (dates of birth; addresses; phone numbers; maiden names; names; customer numbers)
Breach Containment and Preliminary Assessment
A breach or a suspected breach of PII must be immediately investigated and contained. Since all PII is of a highly confidential nature, only personnel necessary for the data breach investigation should be informed of the breach. The following information must be reported to appropriate management personnel:
- When (date and time) did the breach happen?
- How did the breach happen?
- What types of PII were possibly compromised? (Be as detailed as possible: name; name and social insurance number; name, account and password; etc.)
- How many customers may be affected?
Evaluation of the Risks Associated with the Breach
Once basic information about the breach has been established, management should make a record of events and people involved, as well as any discoveries made over the course of the investigation to determine whether or not a breach has occurred.
After the breach has been verified and contained, perform a risk assessment that rates the:
- Sensitivity of the PII lost (customer contact information by itself may present much less of a threat than financial information)
- Amount of PII lost and number of individuals affected
- Likelihood PII is usable or may cause harm
- Likelihood the PII was intentionally targeted (increases chance for fraudulent use)
- Strength and effectiveness of security technologies protecting PII (e.g., encrypted PII on a stolen laptop, which is technically stolen PII, will be much more difficult for a criminal to access)
- Ability of your company to mitigate the risk of harm
Each jurisdiction has different provisions for reporting a data breach. In some jurisdictions, impacted customers must be notified before a certain amount of time has passed. Check with legal council or your representative at Axis Insurance Group regarding the regulations in your jurisdiction.
In addition to the affected clients, a company that has suffered a data breach is also encouraged to notify the appropriate Privacy Commissioner(s). In some jurisdictions, notification of the Privacy Commissioner is mandatory. In other jurisdictions, it is only recommended.
With the increased usage of technology in people’s lives to stay connected while mostly working from home, cybersecurity threats have also become a growing issue and require proper assessments to manage any security gaps and risks that can harm your business.
Therefore, it’s important to conduct proper cyber assessments to mitigate the possibility of having your company’s cybersecurity system breached.
Get a FREE Cyber Risk Assessment to see if you're properly protecting your business from cyber risks: