Top 10 Things to Consider for a Data Breach

2nd October 2018 Media Law

It was a busy weekend in the world of internet security / potential data breaches. On Friday 28 September, Facebook announced that their engineering team had discovered a security issue affecting almost 50 million accounts.

Although their investigation is at an early stage, Facebook have confirmed that the attackers exploited a vulnerability in the platform’s code and were able to use the ‘view as’ feature to steal Facebook access tokens which are essentially the keys to a Facebook profile. This was then used to take over people’s Facebook accounts.

Facebook’s spokesperson said that they were taking it “incredibly seriously„ and that they wanted to let everyone know what’s happened and the “immediate action„ they’ve taken to protect people’s security.

The Information Commissioner’s Office (ICO) which is the UK regulator for data protection have confirmed that they will be making enquiries of Facebook and overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.

The following day, and in no way linked, there were press reports that a Guardian columnist was able to obtain personal information about Conservative Party Conference delegates including senior MPs via the Party’s conference “App„. The Columnist, Dawn Foster, posted a tweet to say that she was able to login to the App as Boris Johnson.

It has since been confirmed by the Conservative Party that an error enabled a third party in possession of a conference attendee’s email address, was able to see the attendee’s data including name, email address, job title and photo. The Conservative Party have also confirmed that the error was resolved within 30 minutes and it will be reported to the ICO.

The ICO said that organisations have a legal duty to keep personal data safe and secure and that, subject to the facts, under GDPR, organisations must inform the ICO within 72 hours of becoming aware of a personal data breach.

It may be unfair to comment on Facebook and the Conservative Party specifically, given the lack of evidence regarding the underlying issues, but more importantly what would you do if your organisation suffered a potential data breach?

I have compiled a “top 10„ list of points to consider if your business experiences a data breach.

1. Report

Subject to the facts, you must report the data breach to the ICO without undue delay, but not later than 72 hours of becoming aware of the breach. If you take longer, be prepared to explain the delay to the ICO. Notifying data subjects is often conducted via email or post, but in some cases a media release may be the only option.

2. Terminology

Know the terminology.
What is a “data controller„? A data controller determines the purpose and means of processing data. In other words, if your company decides how or why data should be used, it’s likely your organisation is a data controller.

What is a data processor? The data processor processes personal data on behalf of a data controller. This could be a third party.

What or who is a data subject? In a nutshell, it is any person whose personal data is being collected, held or processed.

3. Outline -

The ICO will require an outline of what has happened and how you were alerted about the breach.

4. Who -
You’ll need to tell the ICO how many data subjects are involved

5. When -
did you discover the breach? This is something the ICO will ask.

6. Correct -
Identify the vulnerability in your system and take steps to correct it and contain the problem.

7. Children -
If your breach is likely to have involved children, the ICO is likely to apply even greater scrutiny.

8. Consequences -
The ICO will ask what the likelihood is that data subjects will experience significant consequences as a result of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. Remember, once an individual loses control of their data it could be harmful for them (and costly in many different ways for your business).

9. Impact -
Consider what are the impacts on your organisation of the data breach? Manage your reputation, in business, your reputation is everything. It’s important to minimise reputational damage.

10. Be real -
Talk to people, nobody likes spin or a robot, they like real people who are genuinely doing their best to resolve the problem.

JMW Solicitors can assist with handling a breach, while also protecting your wider business interests. If you would like to discuss data security further, or if you have been the victim of a data breach, you can call the Data Privacy team on 0345 241 7976.

We're Social

Dominic Walker is a Solicitor located in Manchesterin our Media Law department

View other posts by Dominic Walker

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest