Data breach: Ready, set … react

D&I Quarterly Q4/2015

Posted on

3 Nov


Dittmar & Indrenius > Insight > Data breach: Ready, set … react

The Ashley Madison hacking has thrown data security right in the limelight. In the aftershock of events, companies are realizing that it could be them next.

A quick reaction can ultimately alter your company’s ability to control the media’s post data breach field day and resulting bad will. In practice, this requires prior planning and efficient execution.

In Finland, express data security provisions set a very loosely knit web of obligations for companies. As a result, too many companies have left data security completely to “the IT guys”.

Every employee counts – data security is not just the “IT guy’s” thing

However, data security goes beyond the IT department. Without the combination of both technical and administrational data security, the safety of your company’s data is as good as your company’s most careless employee.

So what is “administrational data security”? Administrational data security is all about preventing human and technical errors through planning, instructing and monitoring employees, and reacting to all occurring data security issues efficiently.

Data security can never be air tight so are you ready to react to a data breach?

However, at the end of the day, the reality is that data security can never be airtight. Therefore, it’s good to remember that what is not there, cannot be taken. Solution: store only what you really need.

5 tips to get your company started:

  1. Audit. Periodically identify your company’s main data security risks, legal obligations (e.g. obligations to inform regulatory authorities of data breaches) and your staff’s ability to react to a data breach;
  2. Appoint. Put someone in charge of preventive data security planning, monitoring and reacting to suspected and confirmed data breaches;
  3. Bind others. Take a look at your contracts and ensure that all third party vendors acting on your behalf are (i) held to the same standards as your own employees, (ii) obliged to inform you of suspected and confirmed data security breaches, and (iii) are not allowed to inform others of such breaches without your express prior consent;
  4. Instruct. Put a Data Security Policy in place and bind your employees to it through each employee’s employment contract; and
  5. Monitor. Plan and execute monitoring activities. When doing so, keep in mind that Finnish legislation sets out exceptionally severe restrictions regarding employee monitoring.

Share this