In today’s bulletin, Charlie discusses communicating with individuals who have been affected by a loss of data and provides an insight into how these individuals can protect themselves in the future.

I have been waiting to write this bulletin for a while but needed to find the time to do the research needed. This week, I have taken the plunge and I am looking at what advice an organisation should give to those impacted by a data breach so they can protect themselves from further harm. As part of ICO notification requirements, if your organisation has lost data, you have to inform all those who may be impacted that their data has been, or might have been, breached.

Good practice also says that you should give customers advice on how they should protect themselves. They are victims because you have lost their data, but you do not want them to become victims again because the loss of their data can facilitate further scams and harm. I believe organisations should have their guidance written in advance of a breach, in the same way that they may have pre-written statements, so that on the day of a data breach, they are not rushing around trying to get the text written and approved. If the text gives misleading advice, the organisation may expose itself to further criticism at best, and at worst, a class action against them.

Before you even start thinking about drafting the text, you should do what we call a data risk assessment – your organisation should look at whose data it holds, the nature of that data, and the impact if that data is lost. Depending on the nature of the data, this may influence what information you provide as part of the advice.

It may be names, addresses, date of births, and bank account details that criminals could use to commit fraud, or it could be more detailed information that fraudsters can use to commit fraud. If a housing association loses its residents’ database, including details of services provided, a fraudster can ring a person knowing their name and telephone number and then convince them it is the housing association calling by confirming something only they would know, such as recent repair work carried out on their door. The fraudster can then say “That work you had carried out on your door – we forgot to charge you for the paint which cost £10. Would it be possible to pay by credit card over the phone?”. Because the person about to be defrauded recognises that they had work done, they are often convinced by the call, and hand over their credit card details.Fraudsters can often estimate people’s ages from their names and they will likey try and scam them first.

You may decide whether to provide credit monitoring to those affected as part of your mitigation plan. Sometimes organisations such as SEPA (Scottish Environment Protection Agency) provide credit monitoring to their staff but not all customers on their database. If this is offered, then a plan for the purchase, implementation, explanation of the service, and the support it provides should be prepared in advance. There is also Cifas registration, which can be cheaper than credit monitoring.

Cifas Protective Registration is a fraud prevention service designed to help people who may be at risk of identity theft, such as following a data breach or loss of personal information. For £30 for two years, Cifas places a Protective Registration marker against an individual’s details, alerting its member organisations to carry out additional identity checks before approving applications for credit, financial products, or other services in that person’s name.

The first step is to think through what information could be lost and what possible frauds could be committed using it. You then need to craft the letter or email.

The following are some of the items which you should include in your letter or email:

1. According to ICO guidance, the information that needs to be provided to those who have been affected by a data breach is:
   a. the name and contact details of any data protection officer you have, or another contact point where more information can be obtained;
   b. a description of the likely consequences of the personal data breach; and
   c. a description of the measures taken or proposed to deal with the personal data breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects.
2. Ask people to change their passwords on the site which has suffered the data breach and, if they reuse the password elsewhere, to change it on those sites too. The organisation can also force a password reset on all users. The City of Edinburgh Council forced a mass network password reset after detecting a targeted spear-phishing attack on its schools and early years IT network. Be aware that you will need additional helpdesk staff to deal with the enquiries this is likely to generate. This should also include advice on using strong, unique passwords.
3. Be vigilant for emails, telephone calls or SMS messages from fraudsters who may use information from the breach to make their communications seem legitimate. Warn people about requests to log in and verify their account via links which may lead to fraudulent websites designed to harvest their data.
4. Decide how people will be told, or how they can verify, whether they have been affected. In your preparation, think through how you would contact those impacted by a data breach and whether you have the necessary contact details, such as postal or email addresses.
5. Give them a helpline number for the organisation if they want to confirm a call is genuine. Think through how you might cope if you receive a high volume of calls.
6. Give them information on where they can find further information, contact the organisation safely, and obtain additional help and advice. This could include questions and answers on the organisation’s website.
7. Check your online accounts to confirm there has been no unauthorised activity. Things to look out for include:
   a. being unable to log into your accounts;
   b. changes to your security settings;
   c. messages or notifications sent from your account that you do not recognise;
   d. logins or attempted logins from unusual locations or at unusual times.
8. Check whether your details have been exposed by using sites such as Have I Been Pwned.
9. Explain what people should do if they think they have been a victim of fraud.
10. Ensure that your advice is written in plain English and is easy to understand. Consider the data you hold and whether the advice should also be available in other languages, and whether it takes into account people with disabilities.
11. Think through what type of language will be used. Will it be legalistic language, which people often spot immediately and find impersonal, or will it be more human and empathetic?
12. Think through who will sign off the advice, or whether it will not be signed off by an individual. Consider what else the letter or email should include and whether an apology will be given.
13. Think through who will take responsibility for the work associated with carrying out this notification.
14. Remember that informing those impacted by a breach is an ICO requirement.
15. It may be worth showing this video to staff involved in responding to a data breach so they understand the impact it can have on people’s lives.

There are some good examples of letters that have been sent out by organisations available on the web, and they could be a useful starting point. However, as part of your organisation’s preparation for responding to a cyber incident, this guidance should be written in advance.