Dealing with a data breach

Some due diligence at the start of your relationship with your employee will help to signal that you take the security of your company’s information seriously. Ensure that your recruitment process includes thorough employee background checks. Once you appoint somebody, give them clear instructions on how your company manages data and information during their induction. Send reminders regularly and carry out refresher training to help keep the importance of proper handling top of mind for everyone.

In 2018, General Data Protection Regulation (GDPR) rules came into force across Europe (and the UK GDPR rules following Brexit) with much stricter rules on how companies gather, use and store customer data. These measures also make companies more legally liable if they are responsible for a breach. The maximum fine is €20m or 4% of worldwide turnover. Some eye-watering high fines have already been given, including €50m for Google’s breach in 2019.

To avoid this, only collect, store and keep relevant and necessary customer and employee information. Many companies collect as much data as possible and don’t have systems in place to delete this data when it’s no longer needed. Alternatively, streamline what information you gather. If you don’t need a customer’s home address, then don’t collect it.

If a hacker was to gain access to customer information, these precautions would limit the amount of information available to them. For example, if you only need customer data for a certain period of time to communicate about a specific delivery, event or competition, you should have processes in place to delete that data after the deadline has passed.

For the information that is necessary for the business to store, keep a detailed inventory of what data you have, where it is saved, and who has access to it. This will help you keep track of your data, identify data that is no longer needed, or highlight data that is at risk of a breach due to the device or how many devices it’s being stored on.

Keeping track of data this way will also help you identify the source of the breach quickly if one does occur so that you can fix it quickly. You can also use your inventory to investigate weaknesses in your existing processes and update them to ensure the same thing can’t happen again.

A vital step to protect your company information is to invest in a good cybersecurity programme. They can be expensive but it’s a worthwhile investment, as it could save you in the long run by protecting you from hefty fines.

Once you have your cybersecurity programme in place, make sure that you install all updates immediately when they’re released, so that you’re always protected from security threats.

Another source of information leaks can be employees within the business. Employees often have access to sensitive information on other employees and customer data for work purposes - this potential source of breaches presents its own set of problems.

One way of combating this is to limit the exposure of sensitive information as much as possible. Have a clear company policy on appropriate uses of employee and customer information. Make sure the consequences of any policy violations are clearly stated.

Share the policy with all new and existing employees. If possible, get employees to sign an agreement stating that they have read and understood the policy and the importance of protecting company information. This can help instil a culture of confidentiality before any issues arise.

Although you should take precautionary measures to avoid employees, past or present, from sharing sensitive information, if this does occur, try to gather any evidence that you can that proves it.

Use your data inventory to see if any unauthorised people are accessing company data. If you believe a breach has occurred, ensure you follow the correct steps to preserve any available evidence of the breach.

If a disgruntled former employee is spreading company information, or making defamatory claims, the first step is to try reaching out to them and see if you can come to an agreement.

If this doesn’t have the desired result, consider taking court action against them. You will have to prove that their words have had a direct significant financial impact on the business. There may be a mediation period to try and reach a resolution.

If mediation fails, you can consider starting court proceedings, but this can be a lengthy and costly process, so it should be a last resort.

Ultimately, try to foster a positive working environment with clear rules and policies around the sharing of sensitive information, and tight security measures to limit any potential risks. Hopefully, these steps will protect your information, and keep employees happy, which is likely to limit the possibility of them moving on and sharing confidential customer information.