Identifying the information and investigating the information breach

Being able to make decisions quickly depends on establishing the facts as soon as possible. The incident management (IM) team need to understand:

  • the nature of the information (if it includes personal data, please see the section a loss or theft of personal data)
  • the nature of the breach (in what format was the data held? Was it encrypted? Was the information stolen, misused or disclosed inadvertently? If the information was misused, how was it misused? Was the information published?)
  • the cause of the information breach, including the timeline
  • the individuals within the organisation involved and any external parties
  • was external parties' information the subject of the breach?

Make sure that any required investigations (for instance, into employees' email) comply with applicable data protection/privacy law.

The IM team should assess the extent of the actual or potential damage. They should establish:

  • if any further information has been put at risk
  • the immediate practical and legal consequences for the organisation
  • the practical and legal implications for external parties whose information has been disclosed