Data breach incidents and reports pertaining to it have become more common in the recent years.
The trend is quite alarming and has proven that it is inevitable for an organisation to suffer from a data breach.
No one is exempted as organisations like social media platforms, government agencies, health service providers and financial institutions have all fallen prey.
Although some organisations are protected by technology, those same systems remain exposed to breaches caused by human error, which are more difficult to guard against.
There are now laws in place that govern and provide steps for the proper handling of data breaches.
The Data Privacy Act of 2012 (DPA) of the Philippines, for instance, requires all entities processing personal data to have security measures in place.
These measures include notification protocols vis-à-vis the National Privacy Commission (NPC) and the individuals affected by a breach.
It would be good for an organisation to have a clear plan of action when dealing with this threat.
Some recommended steps to consider when limiting the harm or negative effects of a breach include containing the breach; assessing the risks and impact; notifying appropriate agencies and affected individuals; and evaluating the response.
Containing the breach requires isolating the compromised system, if possible. If the cause of the breach is by known vulnerabilities and bugs of the system, address them as soon as possible.
If the situation was caused by an unauthorised access to an electronic or digital system, it is recommended to change access rights, temporarily remove any external outlets, and reset passwords.
When assessing the risks and impact of the breach, a detailed evaluation of the breach must be conducted. This will give the organisation a better understanding of the risks and the impacts.
Several questions may serve as guide in assessing the situation. “What type of personal data was compromised?” can determine the level of risk the breach has posed to the affected individuals.
“Who and how many individuals are affected?” will pinpoint the type and number of individuals affected. The more people are involved, the greater the risk is.
“What caused the breach?” will help determine the proper steps to be taken to mitigate its impact. Knowing if it was from a cyberattack, system malfunction, or human error may give information as to how the data may be secured or recovered.
Moreover, it will help identify the measures that could prevent the same event from happening again.
“What possible harm could it cause to the organisation and affected individuals?” will anticipate all possible negative outcomes and will allow a more informed response from the organisation.
Organisations should also notify appropriate agencies and the affected individuals.
Government agencies can help resolve the problem if it requires their technical expertise. Law enforcement can also assist in catching the culprits if they happen to be criminals or fraudsters.
Once informed, the affected individuals can be more alert about any suspicious transactions involving their personal data.
In evaluating their response, the organisation will be able to determine the propriety and effectiveness of their steps.
A data breach can never be predicted. Organisations can only prepare by implementing measures designed to minimise its chances of happening as well as steps it will follow, when it does.