Data Breach Policy
Data security breaches are increasingly common occurrences whether caused through human error or via malicious intent. As the amount of data and information grows and technology develops, there are new ways by which data can be breached. CyberCNS needs to have in place a robust and systematic process for responding to any reported data security breach, to ensure it can act responsibly and protect personal data which it holds.
The aim of this policy is to standardize the Company’s response to any data breach and ensure that they are appropriately logged and managed in accordance with the law and best practice, so that:
- incidents are reported swiftly and can be properly investigated
- incidents are dealt with in a timely manner and normal operations restored
- incidents are recorded and documented
- the impact of the incident is understood, and action is taken to prevent further damage
- the ICO and data subjects are informed as required in more serious cases
- incidents are reviewed, and lessons learned
Article 4 (12) of the General data protection Regulation (“GDPR”) defines a data breach as:
“a breach of security leading to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
CyberCNS (‘the Company’) is obliged to act in respect of such data breaches. This procedure sets out how the Company will manage a report of a suspected data security breach.
The aim is to ensure that where data is misdirected, lost, hacked or stolen, inappropriately accessed or damaged, the incident is properly investigated and reported, and any necessary action is taken to rectify the situation.
A data security breach can come in many forms, but the most common are as follows:
- Loss or theft of paper or other hard copy
- Data posted, e mailed or faxed to the incorrect recipient
- Loss or theft of equipment on which data is stored
- inappropriate sharing or dissemination-Staff accessing information to which they are not entitled
- Hacking, malware, data corruption
- Information is obtained by deception or “blagging”
- Equipment failure, fire or flood
- Unescorted visitors accessing data
- Non-secure disposal of data
In any situation where Customers (includes MSPs, end-customers and other Channel partners) are uncertain whether an incident constitutes a breach of security, please report it to email@example.com.
This policy applies to all users of CyberCNS’s products and services.
5. Reporting a Breach
Internal Suspected data security breaches should be reported promptly to firstname.lastname@example.org. The report must contain full and accurate details of the incident including who is reporting the incident [and what classification of data is involved].
Such a breach also must be communicated to the data subject (with certain exceptions). Notification must be made “without undue delay” and within 72 hours of becoming aware of it. If the Company fails to do this, it must explain the reason for the delay.
The Company must maintain documentation on data breaches, their nature and remedial action taken.
6. Data Breach Management Plan
The Company’s response to any reported data security breach will involve the following four elements.
A. Containment and Recovery B. Assessment of Risks C. Consideration of Further Notification D. Evaluation and Response
Each of these four elements will need to be conducted in accordance with the checklist. An activity log recording the timeline of the incident management should also be completed.
Officers, members, contractors, visitors or partner organizations who act in breach of this policy may be subject to disciplinary procedures or other appropriate action.