Guidance - Checklist for information security breaches

The guidance outlines important actions and considerations for the lead investigator when addressing an information security breach that involves personally identifiable information.1 It supports the method statement on data loss and information security breach management.

Step Action points Notes
 Containment and recoveryTo contain any breach, to limit further damage as far as possible and to seek to recover any lost data.
1 Establish lead for investigating breach To investigate extent and nature of breach, to contact and co-ordinate with specialists and stakeholders (e.g. Data Protection specialist, IT Services, system owners, External Relations).
2 Ensure lead has appropriate resources Including sufficient time and authority.
3 Ascertain the scope of the breach and if any personal data is involved. See ‘Risk assessment’ below.
4 Establish who needs to be made aware of the incident and inform them of what they are expected to do to assist in the containment/recovery exercise.

E.g. Finding lost piece of equipment, changing passwords or access codes, isolating/closing part of network, pulling webpages, informing police, checking any contractual obligations to act/report where data has been supplied under contract (see #19).

If you have any reason to suspect that there is computer misuse ("hacking"), contact the Computer Emergency Response Team who will provide advice on actions to take and how to preserve evidence.

https://www.york.ac.uk/it-services/security/contact/

5 Ensure that any possibility of further data loss is removed or mitigated as far as possible As above. This may involve actions such as taking systems offline or restricting access to systems to a very small number of staff until more is known about the incident.
6 Determine whether anything can be done to recover any losses and limit any damage that may be caused E.g. physical recovery of data/equipment, or where data corrupted, through use of back-ups.
7 Where appropriate, inform the police. E.g. stolen property, fraudulent activity, offence under Computer Misuse Act.
 Risk assessmentTo identify and assess the ongoing risks that may be associated with the breach. In particular: an assessment of (a) potential adverse consequences for individuals, (b) their likelihood, extent and seriousness. Determining the level of risk will help define actions in attempting to mitigate those risks.
8 What type and volume of data is involved?  
9 How sensitive is the data? Sensitive personal data? Of a very personal nature (e.g. health record) or sensitive because of what might happen if misused (banking details).
10 What has happened to the data? E.g. if data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk.
11 If the data was lost/stolen, were there any protections in place to prevent access/misuse? E.g. encryption of data/device.
12 If the data was damaged/corrupted /lost, were there protections in place to mitigate the impact of the loss? E.g. back-up tapes/copies.
 Additional assessment for breaches involving personal data 
13 How many individuals’ personal data are affected by the breach?  
14 Who are the individuals whose data has been compromised? Students, applicants, staff, customers, clients or suppliers?
15 What could the data tell a third party about the individual? Could it be misused? Consider this regardless of what has happened to the data. Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people.
16 Is there actual/potential harm that could come to any individuals? E.g. are there risks to:
  • physical safety;
  • emotional wellbeing;
  • reputation;
  • finances;
  • identify (theft/fraud from release of non-public identifiers);
  • or a combination of these and other private aspects of their life?
17 Are there wider consequences to consider? E.g. a risk to public health or loss of public confidence in an important service we provide?
18 Are there others who might advise on risks/courses of action? E.g. If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use.
 NotificationTo consider any necessary notification of people and organisations. “Informing people about a breach is not an end in itself. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions”
19 Are there any legal, contractual or regulatory requirements to notify? E.g.: terms of funding; contractual obligations; reporting responsibilities for researchers under University’s Research Misconduct Policy (s.2);2 service provider obligations under Privacy and Electronic Communications Regulations?
20 Can notification help the University meet its security obligations under the seventh data protection principle? E.g. prevent any unauthorised access, use or damage to the information or loss of it.
21 Can notification help the individual? Could individuals act on the information provided to mitigate risks (e.g. by changing a password or monitoring their account)?
22 If a large number of people are affected, or there are very serious consequences, inform the Information Commissioner’s Office (through the Director of Information Services). Contact and liaise with the Director of Information Services.
23 Consider the dangers of ‘over notifying’. Not every incident will warrant notification “and notifying a whole 2 million strong customer base of an issue affecting only 2,000 customers may well cause disproportionate enquiries and work”.
24 Consider whom to notify, what you will tell them and how you will communicate the message.
  • There are a number of different ways to notify those affected so consider using the most appropriate one. Always bear in mind the security of the medium as well as the urgency of the situation.
  • Include a description of how and when the breach occurred and what data was involved. Include details of what has already been done to respond to the risks posed by the breach.
  • When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what the institution is willing to do to help them.
  • Provide a way in which they can contact us for further information or to ask questions about what has occurred (e.g. a contact name, helpline number or a web page).
25 Consider how notification can be made appropriate for particular groups of individuals. E.g. children or vulnerable adults.
26 Consult the ICO guidance on when and how to notify it about breaches.

There is not a legal requirement to report security breaches which result in the loss, release or corruption of personal data to the Information Commissioner. Serious breaches should be brought to their attention however.

Where there is little risk that individuals would suffer significant detriment, there is no need to report. There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm. Cases must be considered on their own merits and there is no precise rule as to what constitutes a large volume of personal data.

Guidance available from http://www.ico.gov.uk/ for_organisations/data_protection/ the_guide/principle_7.aspx

27 Consider, as necessary, the need to notify any third parties who can assist in helping or mitigating the impact on individuals. E.g. police, insurers, professional bodies, funders, trade unions, website/system owners, bank/credit card companies.
 Evaluation and responseTo evaluate the effectiveness of the University’s response to the breach. To learn and apply any lessons or remedies in the light of findings or experience.
28 Establish where any present or future risks lie.  Department and Information Security Board.
29 Consider the data and contexts involved. E.g. what data is held, its extent, sensitivity, where and how it is stored, how long it is kept).
30 Consider and identify any weak points in existing security measures and procedures. E.g. in relation to methods of storage and/or transmission, use of storage devices, levels of access, systems/network protections.
31 Consider and identify any weak points in levels of security awareness/training. Fill any gaps through training or tailored advice.
32 Report on findings and implement recommendations. Report to Information Security Board.

1 Based on the ‘Guidance on data security breach management’ issued by the Information Commissioner’s Office at http://ico.org.uk/for_organisations/data_protection/~/media/documents/library/Data_Protection/Practical_application/guidance_on_data_security_breach_management.pdf

2 Policy on Research Misconduct (staff): http://www.york.ac.uk/admin/hr/resources/policy/academic_misconduct.htm
Academic misconduct: policies, guidelines and procedures for all programmes of study (students): https://www.york.ac.uk/staff/supporting-students/issues/academic/taught/misconduct/
Policy on Research Integrity: https://www.york.ac.uk/staff/research/governance/policies/