A Guide to Data Breach: Apology Letter Edition
Where to start?
Going about the usual day to day business to suddenly receive this letter:
First thoughts – well, as a law firm specialising in Data and Cybersecurity, we work with clients who come to us with for help responding to data protection breaches regularly. We teach advise our clients to be prepared for a data breach – on the basis of ‘not if but when’. However, it was still somewhat surprising to receive a letter from my building, with the risk of the a data breach, in my mind, kept towards the back. Perhaps it is because typically you hear of data breaches affecting large online platforms and networks – not as much however, your infrastructure such as an office or residential building.
Nonetheless, generally these letters are sent as a quick and efficient response by an company organisation after data security has been compromised. This response is used to limit any damage that may have been caused by the breach. Notification of the breach will be sent to the UK Data Protection Regulator, the Information Commissioner’s Office (“ICO”). Within 72 hours of the breach coming to the attention of the organisation – the knowledge held by the organisation, concerning a serious data protection breach, creates a mandatory obligation for the organisation to inform the data subjects of the breach.
A letter is the most common way to inform individuals data subjects that have been affected of a breach; this comes under Article 34 of the UK General Data Protection Regulation (“GDPR”). Typically a letter would hold the structure of:
• What has happened? With a description of the nature of the personal data breach;
• what the likely consequences of the data breach entail for the individuals concerned? With the potential for individuals to be provided with an explanation on how they know that they have been affected;
• What has been done in response to the data breach; anything that the individuals can do to mitigate the risk; as well as who can provide further information, if required? There should be a clear way for individuals to contact the company with any questions or concerns about the breach.
Well, where do I go from here?
In order to understand the breach and the personal data which had been conceded – I have every intention in following up with the company so that I can identify exactly what type of data that had been involved in the breach.
This could vary from the least sensitive data such as my name and street address, a name typed into a search engine can yield data useful to online marketers, but probably not enough to cause serious trouble. Equally more sensitive data such as email addresses, dates of birth and payment-card account numbers. A stolen email address may result in increased spam; a stolen credit card will often result in fraudulent charges, but the card holder in many cases is protected from liability. A date of birth by itself is useless, but when combined with a name, it’s more valuable than an address, because it never changes and is often used to verify identity. All it can take for some providers is a name, a DOB and an address to open a credit card. The most sensitive forms of data can include online-account passwords, passport numbers, financial-account numbers and payment-card security codes.
Once established I will be able to conclude what action I will need to take, such as changing online passwords or contacting my bank, if necessary. I can also look out for details of any investigation or enforcement by the ICO in due course. In some instances, such as in the case of BA and Marriott or Oracle and Salesforce affected data subjects might launch a class action against the organisation that has lost their personal data, though the likelihood of any class action will depend on the sensitivity of the personal data that has been compromised. Might be worth speaking with my neighbours, we might have a class action on our hands!