Treat data risk mitigation as an equal priority to other aspects of your response
Be aware of the data risks. Your initial attention is likely to be focused on service disruption but make sure you also begin the work of assessing potential data risks right away. Do this at the same time as you start your investigation of the technical causes of the incident.
Take a precautionary approach
You may be uncertain about whether data has been stolen or where it might be published or inappropriately shared. It might not be possible to identify exactly which data sets have been compromised, even if you are able to confirm that data has been stolen. You will need to take a precautionary approach. This means starting by assuming that sensitive data has been stolen, preparing mitigations against that, and only stepping those down when you are confident that they are no longer needed.
Attackers will use any information that they can gain about your response to exercise leverage against you if they can. The information you share and communicate might impact on potential data risks. For example, you must be careful to avoid communicating information that might help an attacker identify which data sets might present greater risk to the council or the people whose data has been stolen.
Set up a team focussed on responding to data risks
This is part of mobilising your response. Think broadly about the skills and expertise you will need. This is likely to include colleagues from information governance/data protection, data analysts, legal, and insurance, as well as key partners (for example the Police and National Crime Agency (NCA)) who have shared data with you. Establish a core response team and identify your collaborators and supporters. The healthy teaming section will be helpful here.
As this core team is likely to include people from other organisations, agree how you will communicate securely with those partners. This includes how you will share any data that is needed to support the investigation.
Engage your insurance team early
Consider how you will prepare against potential liability claims arising from the incident. Engage your insurance team early and make sure you seek out effective legal advice to support your response.
You will need to understand the risks associated with any datasets that may have been stolen. Your Information Asset Register or Record of Processing Activity should help you identify which data might be higher risk. Make sure to assess the risks to any third party data you handle, and that you understand where that data currently resides.
Use advice from the ICO to help you design your response
The ICO publishes advice on how to manage personal data breaches. If you have determined that the incident reaches the threshold for ICO notification, make early contact with the ICO so that you can take their advice on your data breach response if you need to.
Plan and test your response for potential data publication
Once you have your data protection response teams and partnerships in place, work quickly to develop a clear plan that you can activate if stolen data is published by the attackers. It’s not uncommon for data to be published by attackers on the dark web.
Test your plan with the people who will need to deliver the response – this will highlight any gaps and help you to build confidence in your response.
Plan to tackle specific data impacts
Identify in advance the steps you would take if particular datasets became accessible without authorisation or were published. Carefully consider what would trigger each of these steps.
Include data analysts in the response team so you can work with larger volumes of data at pace. Follow up with data owners in council services to make sure that you understand the potential impacts and plan mitigations in the event of data having been released.
Your plan should set out how you will review and triage data to assess risk and determine appropriate actions, such as individual notifications and other risk measures. Where large volumes of data are involved, you may be able to use technology tools (including AI) to support the triage process.
Work with service teams to prepare a holistic response
Work with colleagues in services whose data might be affected and make preparations for a joined up response in the event of data having been compromised. For example, make sure you have a clear plan for how notifications will be made and how support will be offered.
Make sure that safeguarding leads are included in this process so any potential risks associated with higher sensitivity data sets are fully considered and planned for.
Work proactively with third party data owners
Engage with third parties whose data might be at risk during the incident. Develop a shared plan and agree jointly how you will respond if the data is published.
Take expert advice to inform decisions on whether and how to notify affected individuals. Where possible, develop worked examples to show how you will make those judgements and support teams in applying them consistently.
Working with external partners and expert advisors
Depending on the types of data that are potentially at risk, you may need to work with law enforcement agencies (for example, the police or NCA) as part of your response, if you are not doing so already. Prepare for this as early as possible and include plans for any data sharing and transfer that might be needed as part of this.
Communicate with care and empathy
Remember that data subjects may be distressed by their data having been stolen. Ensure your response is empathic, reassuring and builds confidence in the risk mitigations that you will take.
Anticipate potential for tensions between competing perspectives on what can and should be communicated. Put residents first, while being mindful and respectful of why care is needed in what you communicate. Apply this consistently across individual conversations and notifications, or information that you broadcast through media or online channels. Use your overall emergency planning processes to coordinate communications from the organisation.
Have a plan for the advice you will provide to individuals who contact the council looking for reassurance and advice. Provide clear guidance on steps they should take to protect against potential threats to their data. This might include offering identity fraud protection for people whose financial data is affected, or other support from council services/partners.
You may not be able to remove data if it has been published to the dark web and other data impacts may emerge over time. Plan for how you will mitigate those risks and how you can ensure that any later actions are consistent with the steps you have taken in the initial stages of your response.
Regaining trust will take a long and sustained effort. Reflect this in your comms and make sure you explain the steps that you are taking to minimise information risks and respond to future potential threats.
Use what you’ve learned through the planning and delivery of your response to consider where you can or should update policies, processes and data you hold to help you to reduce future risks further.