Data breach: What to do if it has happened?

There  have been major data breaches in the last few years, concerning hundred of million individuals whose personal information have been disclosed to criminals. You may think of Home Depot or Sony, but the probably most popular data breach happened to governmental systems, and the information involved have led to a transatlantic earthquake. You may remember that case usually referred to as “Wikileaks”.

If you are subject to a data breach it is unlikely that this will have a similar impact on the world’s politic ecosystem. Nevertheless, the consequences may have a very likely effect on you and your business.

So, a breach has happened and you followed my recommendation to be prepared for such a disaster? Then stay calm and carry on with the next steps. But don’t forget, time is crucial.

1. The first minutes

  • Fix your systems. If you have no clue what happened, collect the facts first. Have your systems been compromised? Get them back in shape. Has one of your shortly fired former employees stolen the data? Shut down his account. I guess you got an idea what I meant with “fix your systems”
  • Inform the relevant people in your firm and trigger the respective actions. Have your people followed the policies and proceedings accordingly? If so, great job. If not, get them more training the next time.
  • Start collecting evidences for the breach, e.g. log files which show later that your systems have been state of the art and up to date.
  • Inform your insurance.

2. The first hours

  • Check the legal impact. Do you have to fulfill any statutory requirements or to meet any deadlines?
  • Does it make sense (or is mandatory) to inform the authorities?
  • Get your tech staff and communications together in one room and do not let them out before communications have understood what happend.
  • Draft with legal the in-house information first. What do your employees need to know? And what do you want them to know?

3. The first days

  • Finish collecting evidences. Store them to file, including relevant copies and backups. Let your tech people draft a proper documentation.
  • Draft with communication the relevant details for the playbook for external communication, and have a communication strategy in place how your company wants to handle this breach.
  • Screen your obligations from contracts with 3rd parties in your contract management tool.
  • Do you have/want to inform the affected data subjects?

One of the keys for a successful handling of data breaches is to be consequent and have an aligned approach through your company against customers, contractors and the authorities. And consider that taking responsibility for the breach and communicating openly may be honored (and avoids at least partly bad press).