How should your small business report a data security breach?
According to government estimates, 43% of UK businesses suffered a cyber attack in the 12 months to December 2017, as revealed by the Cyber Security Breaches Survey 2018. The most common attacks were fraudulent emails, followed by cyber criminals “impersonating an organisation online” and malware and virus attacks.
The statistics for large businesses were even more alarming, with 72% of large firms having identified a breach or attack. The average cost for large firms was £9,260, however some attacks cost significantly more.
The Federation of Small Businesses estimates that cyber criminals targeted 2.9m UK businesses in 2016, resulting in losses worth £29bn. The FSB believes that as many as two thirds of UK small businesses were affected by cyber crime between 2014 and 2016. And experts agree – cyber crime is a growing problem, one that businesses can’t afford to ignore.
Cyber security guidance
More businesses are now using the government-backed, industry-supported Cyber Essentials scheme. It’s an online source of expert guidance that seeks to help businesses to better protect themselves against common cyber threats and “demonstrate their commitment to cyber security”.
The National Cyber Security Centre (part of GCHQ) has published cyber security guidance for small businesses and the Government is urging small businesses to take immediate steps to better protect themselves from cyber crime, especially since the introduction of the GDPR (ie the General Data Protection Regulation), key to the UK’s data protection regulatory regime, together with the new Data Protection Act 2018 (DPA).
Elizabeth Denham is the Information Commissioner. Her organisation, the Information Commissioner’s Office (ICO), is the UK’s independent national data protection authority, which is responsible for “upholding information rights in the public interest”. It can take action against businesses that fail to live up to their legal responsibilities when it comes to data – up to and including criminal prosecution.
Reporting data security breaches
Denham says she understands that there will be attempts to breach systems. But, she adds: “Organisations need to take steps to protect themselves against the criminals. I’d encourage organisations to use the new regulations [GDPR] as an opportunity to focus on data protection and data security.”
So, what should you do if your small business is attacked and your cyber security is breached? According to the ICO, under the GDPR or DPA 2018, organisations have a duty to report certain types of personal data breach to the ICO “within 72 hours of becoming aware of the breach, where feasible”.
If there’s a high risk that the breach will impact a person’s rights and freedoms, you must inform them of this straight away. Having “robust breach detection, investigation and internal reporting procedures” can help you to decide the need for either course of action. It adds: “You must also keep a record of any personal data breaches, regardless of whether you are required to notify”.
Better to be safe
As examples, the ICO says notification would be necessary following the theft of a customer database, for example, where data could be used to commit identity fraud. However: “You would not normally need to notify the ICO about the loss or inappropriate alteration of a staff telephone list”.
The ICO has brought together resources on breach management and reporting personal data breaches, including a YouTube video. Failing to notify a breach when required can lead to a hefty fine as well as other measures imposed on your business, so it’s advisable to take steps to better protect your IT and data and to “have a robust breach-reporting process to ensure you detect and can notify a breach, on time and [give] the necessary details.”
- Blog written by SME content expert Mark Williams.