A data breach occurs when the data for which an organization is responsible for suffers a security incident resulting in a breach of confidentiality, availability or integrity.
Furthermore, a data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card & debit card details, bank details, personal health information (PHI), Personally Identifiable Information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information.
Additionally, Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal data transmitted, stored or otherwise processed.
If that occurs, and the breach is likely to pose a risk to an individual’s rights and freedoms, the organization has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach.
If the data breach poses a high risk to those individuals affected, then they should all also be informed, unless there are effective technical and organizational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialize.
Personal data breaches can include:
- access by an unauthorized third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
Since Futureview collects, processes, holds and shares personal data adequate care is taken to protect personal data from incidents which can be accidental or deliberate to obviate data protection breach that could jeopardize security thereby resulting to reputational damage, epileptic service and financial loss.
Purpose & Scope:
The main objective of this policy is to avoid breaches, but where it occur to minimize the risk, decipher measures to adopt to protect personal data and avoid more breaches.
To this end, Futureview will:
- Put in place an institutional framework aimed at ensuring security of all personal data throughout its life cycle
- Adopt effective procedures that will be consistent in managing personal and special category (sensitive) data breach and security incidents.
- Ensure that all employees including temporary, contractors, consultants, suppliers are covered.
Type of Breaches:
- Postal Breach – occurs where someone’s envelope contains two further letters addressed to other people.
This can be controlled by adopting the following measures:
- Address personal information to a named person
- Consider using tracked or recorded delivery for personal information
- Case notes to be sent in robust approved packaging.
- Email Breach – occurs where email has been pawned, meaning that the security of an account has been compromised, which could be passwords and email addresses ending up in the hands of cyber criminals or when cybercriminals hack into organizations databases and steal sensitive information. The data, which is exposed to the public, can include, passwords, account numbers, correspondence, names, home addresses, Social Security numbers and more.
Before emailing any external parties; Futureview will:
- Check whether it is acceptable to send personal information
- Confirm the accuracy of the email addresses
- Check that everyone on the copy list has a genuine need to know
- Use the minimum identifiable information (e.g NHIS number)
- Check encryption requirements
Where email needs to be sent to an unsecure recipient:
- Check they understand and accept the risks or
- If you can encrypt the mail
- Phone Breach – entails using phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable
Measures Futureview put in place:
- Confirm the enquirer’s name, job title and organization
- Confirm the reason is appropriate
- Take a contact phone number, eg. main switchboard number
- Check whether the information can be provided – if in doubt, tell the enquirer you will call them back
- Provide the information only to the enquirer.
- Record your name and details about disclosure, along with recipient’s details
It is also noteworthy that data security breaches include both confirmed and suspected incidents.
An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to Futureview information assets and /or reputation.
An incident includes, but is not limited to:
- loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record);
- equipment theft or failure;
- system failure;
- unauthorized use of, access to or modification of data or information systems;
- attempts (failed or successful) to gain unauthorized access to information or IT system(s);
- unauthorized disclosure of sensitive /confidential data;
- website defacement;
- hacking attack;
- unforeseen circumstances such as a fire or flood;
- human error;
- ‘blagging’ offences where information is obtained by deceiving the organization who holds it.
Reporting Incidents:
Where a data breach occurs it must be reported immediately to Data Protection Officer (DPO) through this email address: [email protected]. giving full details such as:
- When the breach occurred regarding date and time
- How did it happen
- Where it happened as in which section or department, or type of data was compromised
- What business activity was going on when it happened
The DPO will assess the extent of breach in conjunction with Head ICT, and Head Internal Control Department to ascertain the severity and commence investigation immediately and where possible within 24 hours of the breach being reported.
Investigation will cover areas like:
- Type of data involved
- It’s sensitivity
- Whether encryption is in place
- Was the data lost or stolen
- Will the data be put to illegal or inappropriate use?
- Are data subjects affected, if yes, what is the number and possible effects on the data subjects
- Are there broader consequences to the breach
The DPO and team based on the outcome of the investigation, will decide if relevant authorities will be notified of the breach. If on the affirmative, will notify NITDA not later than 72 hours of occurrence.
Where the breach is likely to result in a high risk to the rights and freedoms of individuals under Data Protection Legislation, data subjects should be notified without undue delay. Notification will capture areas like:
- How and when the breach occurred
- Data involved
- Actions already taken to mitigate risks
- Contact details should they require further clarification on the issue.
The DPO, having satisfactorily contained the incident, will review, among other things:
- Cause of the breach
- Response time
- Adequacy of policies and procedures as well as existing controls
- Storage of personal data
- Security of data transmission
Policy Review:
The policy will be updated to mirror best practice, thereby ensuring compliance with changes or amendments to applicable legislation and will be reviewed annually.