Investigate the facts underlying the data breach

Being able to make decisions quickly depends on establishing the facts as soon as possible. The incident management (IM) team needs to understand:

  • the details of the incident, for example:
    • the nature and scale of the breach, including types of data affected, identity, number and location of affected individuals, security measures taken in relation to the data (eg encryption), location of compromised servers, attacker location (if relevant), what format the data was held in, whether there is evidence that the data has been misused or published
    • the cause of the information breach, including the timeline
    • the individuals within the company involved and any external parties
    • whether external parties’ information was the subject of the breach
  • actions taken so far to minimise breach impact and to recover data, including timing
  • which authorities have been involved so far (if any)
  • the IM team should take urgent steps to assess the extent of the actual or potential damage caused by the data breach. Establish as soon as possible:
    • has any further data been put at risk?
    • has further cyber security risk been identified?
    • what are the potential risks for the individuals affected (eg fraud risk)?
    • what are the immediate practical and legal consequences for the company?