Incident response policy

Despite explicit guidelines for securing confidential electronic data, breaches can still occur. At such times, it is important that Crick Software respond as quickly as possible. Computer thefts or loss should be reported immediately to line manager.

Steps that we will take in the event of a data security breach are as follows:

1. Determination of the nature and scope of a breach

  • Identification of the person reporting the breach (name, contact info, etc.)
  • Record of the location, timeframe, and apparent source of the breach
  • Preliminary identification of confidential data that may be at risk

2. Communication

  • Data protection team
  • Law enforcement (depending on the nature/scope of theft)

3. Investigation

  • Identify ongoing vulnerability of data to exposure from breach source (take immediate steps to address)
  • Conduct preliminary analysis
  • Prepare inventory of data at risk
  • Determine if exposed data were encrypted
  • Identify security measures that were defeated (and by what means)

4. Assessment of breach

  • Identify affected individuals at risk of identity theft or other harm
  • Assess financial, legal, regulatory, operational, reputational and other potential institutional risks

5. Remediation

  • Implement password changes and other security measures to prevent further data exposure
  • Determine if exposed/corrupted data can be restored from backups; take appropriate steps
  • Determine if value of exposed data can be neutralized by changing account access, ID information, or other measures

6. Notification

Based on the assessments above, the Data Protection Team will decide whether the breach incident needs to be reported to the ICO or the data subjects. Either way, the breach will need to be added to the breach log to include the following points:

  • Nature and scope of breach
  • General circumstances of the breach (e.g., stolen laptop, hacked database, etc.)
  • Approximate timeline (e.g., date of breach discovery)
  • Steps that Crick Software has taken to investigate and assess the breach
  • Any involvement of law enforcement or other third parties
  • Appraisal of any misuse of the missing data
  • Steps we are taking to prevent future breaches of this nature

7. Post-incident follow-up

Following a data security breach, Crick Software will:

  • Take steps to ensure that missing data cannot be used to access further information from our servers
  • Pursue with law enforcement all reasonable means to recover lost data and equipment
  • Review and modify as needed; all procedures, governing systems, administration, software management, database protections, access to hardware, etc., to prevent future data breaches of a similar nature
  • Take appropriate actions if staff negligence or other’s behavior contributed to the incident
  • Modify procedures, software, equipment, etc. as needed to prevent future data breaches of a similar nature
  • Take appropriate action if personnel negligence caused or contributed to the incident