Managing a Data Breach

September 15th, 2020

The recent personal data breach in the cabinet office highlights the importance of managing and processing personal data.

The personal data breach by the Cabinet Office in respect of those named in the 2019 New Year’s Honours List, which saw the addresses of virtually all those recognised with an honour published on the official government website, has once again shone the spotlight on the importance of managing the process of protecting personal data, ensuring that steps are taken in a prompt and efficient manner if a data breach takes place.

What happened?

On 27^th December 2019, a file containing the full list of recipients of a New Year’s honour was uploaded to the Government’s website. The file is alleged to have contained the details of virtually all recipients’ addresses, including those of celebrities such as the singer Elton John, cricketer Ben Stokes, presenter Gabby Logan and chef Ainsley Harriott. The details could be viewed by the general public for a number of hours before the file was eventually removed from the website the following day, by which time the error had hit the front pages of the national newspapers, calls for a public inquiry had begun and the breach had been labelled as a ‘complete disaster’ by a former Cabinet minister.

What must my business do in the event of a data breach?

Chiefly, under the new data protection laws, it is vital than upon discovering any personal data breach which could risk an individual’s rights and freedoms, you must notify the Information Commissioner’s Office (‘ICO’) within 72 hours of you becoming aware of it.

When notifying the ICO, you must, insofar as possible, give details of the nature of the data breach including the categories and number of individuals and data records concerns, details of your business’ Data Protection Officer (if any), your understanding of the potential consequences of the breach and a description of the measures taken – or proposed to be taken – by the business in order to mitigate the breach.

If there has been a breach which is likely to result in a particularly high risk to the rights and freedoms of individuals, the legislation states that you must inform those concerned as soon as possible. The rationale for this is so that the individuals can then also take steps to protect themselves from the fallout from the data breach. The individuals concerns should be provided with a point of contact at the business (most likely the business’ Data Protection Officer), a description of the likely consequences of the data breach and a description of the measures taken – or proposed to be taken – by the business in order to mitigate the breach.

Data breach penalties

Reporting a notifiable data breach to the ICO is of vital importance. Failure to do so can result in a significant penalty to the business, namely a fine of up to 10m Euros or 2% of the business’ global turnover.

What steps can be taken to prevent this occurring again?

The business should undertake a root-and-branch review of its processes and procedures to locate the cause and reasons behind why the data breach occurred and how it came to happen. The business will need to be able to locate this point of weakness and then it can work to strengthen its existing procedures or indeed implement need processes in order to enhance its protection and safekeeping of the personal data that it processes.

Typical practical steps that can be taken to prevent a recurrence of a personal data breach include:

providing training and regular updates to staff;
undertaking a thorough security and data protection audit;
implementing or updating internal and external data protection policies and data processing agreements;
implementing or updating disaster recovery and data breach plans;
ensuring practical measures are adhered to, including encrypting devices and data, maintaining strong passwords, locking computers when they are left unattended, keeping confidential information in locked drawers etc.

How Can Verisona Law Help Me and My Business?

At Verisona Law, we can assist you and your business in preparing for the GDPR and ensuring your business is compliant by:

reviewing your business’s data protection and privacy policies;
reviewing your business’s data processing agreements;
carrying out a data audit of your business;
providing training to your business’s staff and board members; and
assisting your business in the event of it suffering a personal data breach.

If you would like further information, please contact Grant Usher (Associate) at grant.usher@verisonalaw.com or via telephone on 023 9231 2058.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
ss	session	This cookie is set by the provider Eventbrite. This cookie is used for the functionality of website chat-box function.
TawkConnectionTime	session	Tawk.to, a live chat functionality, sets this cookie. For improved service, this cookie helps remember users so that previous chats can be linked together.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_162540320_1	1 minute	Set by Google to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Cookie	Duration	Description
SESSION	session	No description
SSESS222b3b7a108c04c59d8dc51702d5aaa2	session	No description