Data Breaches: Part 3 – Next Steps

8 mins read

This article explains 4 general steps that can be followed once a data breach has occurred.

Data breaches are becoming increasingly prevalent in businesses with the need for and use of technology. A data or privacy breach occurs when there is lost or unauthorized access of confidential information. These data breaches can be triggered and intensified by a variety of factors, usually involve different types of personal information, and can cause a range of potential or actual harm to individuals and businesses. Taking that into consideration, there is no single clear-cut way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis after assessing the risks and deciding on the actions that would be the most effective. Also, keep in mind that while usually an IT professional will need to help with these steps, it is important to know the business’s responsibility when a data breach occurs. In this article, we will discuss the general 4 steps that can be followed once a data breach has occurred.

For more information on different types of data breaches see Part 1 in this series, and for potential consequences see Part 2.

1. Contain

Once a business realizes, or even suspects that a data breach has occurred, immediate action should be taken to limit the data that is compromised or stolen. This could include stopping the unauthorized practice, recovering the records, or shutting down the system that was breached. If evidence will be lost by shutting down the system, then revoke or change the access privileges for the physical or electronic security. Make sure to contact the privacy officer, IT, or whoever is in charge of privacy and security for the company. In this stage it is very important that information is not lost, as this becomes evidence if a formal case needs to be opened and is used to identify the cause of the breach and the risks posed to all individuals or the business.

Here are some great questions that may help when identifying strategies to contain a data breach:

      • How did the data breach occur?
      • Is the information still being shared, disclosed, or lost without authorisation?
      • Who has access to the information?
      • What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?

2. Assess

To help determine what other steps are necessary, the next crucial step should be assessing the risks associated with the breach. This step involves gathering as much information as possible about the data breach to complete a full picture. It is important to understand that confidential and private information is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA) which requires you to keep records of all breaches of security safeguards of personal information under your control, and to keep those records for a minimum of 2 years. To put it simply – there must be a record of every breach of security safeguards.

At minimum, the record should include:

      • Date or estimated date of the breach
      • General description of the circumstances of the breach
      • Nature of information involved in the breach
      • Whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified (see step 3 for more information)

Part of the assessment also includes identifying if there could be a real risk of significant harm (RROSH) resulting from the breach. This is critical, as it is mandatory to report data breaches that pose a RROSH to the Privacy Commissioner of Canada. We will discuss this mandatory reporting further in step 3.

Consider the following questions when conducting the assessment:

      • What type or types of personal information were involved in the data breach?
      • What are the circumstances of the data breach, including its cause and extent?
      • What is the nature of the harm to affected individuals?
      • Can this harm be removed through corrective action?

3. Notify

The Office of the Privacy Commissioner of Canada (OPC) clarifies the mandatory reporting of data breaches on their website, and also has a video series on the subject. All breaches of security safeguard must be reported to the OPC if there is a real risk of significant harm (RROSH) by submitting a PIPEDA breach report form. There is also a requirement to notify the individuals affected by the breach if there is a RROSH. The requirements of what must be included in the notification, as well as the notification methods (direct and indirect) are included in the regulations of the PIPEDA, and are also explained in Part 4 of the OPC’s “What you need to know about mandatory reporting of breaches of security safeguards.”

Notification provides individuals with the opportunity to take steps to protect their personal information following a data breach, such as changing account passwords or being alert to possible scams resulting from the breach. Effective data breach response is about reducing or removing harm to affected individuals, while protecting the interests of the business.

4. Review

The final step involves reviewing the incident in order to learn from it and improve security practices. This may involve a security review with a root cause analysis of the data breach. It is valuable to compare each data breach to previous breaches in the past as this can pinpoint similarities that could indicate issues with policies and procedures.

The goal of this review is to use the lessons learned in order to be able to create a proper prevention plan that will strengthen the handling of personal information and reduce the chance of a reoccurrence. Prevention will be explained in full in Part 4 of this series.

Steps Towards Safety

Data breaches can be a scary occurrence within a business, however there are simple steps that can be followed in order to reduce the damage caused to affected individuals and the business. Containing the breach, assessing the risks of the breach with proper records, reporting to the necessary entities and individuals, as well as learning from the incident are all steps towards safety of personal information.

Check out Part 4 in this series, which will explain possibly the most important aspect of data breaches: Prevention!

Download this resource Data Breaches: Part 3 – Next Steps.

click to enlarge

Visit our Resource Library for all available downloads.

If you require assistance with any of the guides, forms or templates, please contact a BIG representative.

Latest from Featured Posts

Login / Logout


Do You Want to Learn More About Membership? Click Here

Do You Want to Learn More About Membership? Click Here

How Can We Help?