data breach could occur to any business holding personal information at any time. It is unlikely that unauthorised access will occur at a convenient time!

It is important that you have data breach policies in place within your business and your employees and any other internal or external person that stores or deals with personal information need to be fully trained in this response plan and policy to ensure the most efficient response to mitigate and inform. Please see our previous blog post Data Breach Policies.

There are many reporting obligations that you should be aware of and integrate into your internal data breach policies, some of these are set out below.

Keep in mind that it isn’t sufficient to just have the written policy. Once this has been prepared you also need to implement and train your staff to ensure that you and everyone who stores and/or handles personal information knows exactly what to do if a data breach occurs.

Pre-incident preparations

Preparation is important. An organisation should plan in advance to have:

  • An “Incident Response Team” (IRT) comprising internal legal representatives, external legal counsel, technology experts, public relations representatives and other relevant subject matter experts.
  • An appropriate response plan, tested under a crisis simulation, to engage the IRT.

Immediate and first-response actions (0-5 hours post-incident)

In the hours immediately after an incident:

  • Identify the nature, extent and origin of the breach.
  • Identify whether the breach is targeted at the organisation or whether it is affecting others.
  • A triage call should take place with the organisation and the IRT members to confirm next steps.
  • Implement the response plan and establish a secure reporting and communication channel operating separately from the compromised systems.
  • Implement any immediate steps to limit the severity and consequences of the breach.
  • Consider whether communications should pass through external legal counsel to protect privilege and confidentiality. Produce limited written materials on sensitive issues and avoid mixing matters that may be privileged with other content in communications.

Investigation and response actions (24-48 hours post incident)

Following the immediate and first-response actions, the organisation should continue to investigate and respond:

  • Document the breach.
  • Secure evidence and preserve computer logs. Seek external advice from forensic experts where necessary.
  • Investigate the vulnerabilities that were exploited to access the information. Seek external advice to remedy any identified deficiencies to assist in preventing a reoccurrence of similar incidents.
  • Evaluate any remaining risk and implement mitigation strategies.
  • Change security access and passwords as applicable.
  • Send evidence preservation letters to service and cloud providers (if applicable) to help track the chain of custody for all physical and digital evidence.
  • Develop a public relations strategy.
  • Determine who needs to be notified of the breach and other steps to be taken to comply with other laws or regulations. This may include notices to affected individuals, regulators, the stock markets, and any contractually required notices.

We strongly recommend that you check your data breach policies are up to date and have been implemented across your business.

Contact Rankin Business Lawyers for practical, on-point commercial legal guidance.

Stacey Brennan
Lawyer