Data security breaches are increasingly common occurrences whether these are caused through human error or via malicious intent. As technology trends change and the creation of data and information grows, there are more emerging ways by which data can be breached. This document therefore outlines Bidlogix’s robust and systematic process for responding to any reported data security breach, to ensure it can act responsibly and protect its information assets as far as possible.
The aim of this policy is to standardise the company-wide response to any reported data breach incident, and ensure that they are appropriately logged and managed in accordance with generally accepted best practice guidelines. Adopting a standardised consistent approach to all reported incidents aims to ensure that:
- Incidents are reported in a timely manner and can be properly investigated
- Incidents are handled by appropriately authorised and skilled personnel
- Appropriate levels of management are involved in response management
- Incidents are recorded and documented
- The impact of each incident is understood and action is taken to prevent further damage
- Evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny
- External bodies or data subjects are informed as required
- The incidents are dealt with in a timely manner and normal operations restored
- The incidents are reviewed to identify improvements in policies and procedures
- Gathered evidence can be used to plan and take preventative action against future breeches.
A data security breach is considered to be “any loss of, or unauthorised access to, Bidlogix hosted data”. Examples of data security breaches may include, but are not limited to:
- Loss or theft of data or equipment on which data is stored
- Unauthorised access to confidential or highly confidential Bidlogix Data
- Equipment failure
- Human error
- Unforeseen circumstances such as a fire or flood
- Hacking attack
- ‘Blagging’ offences where information is obtained by deceit
For the purposes of this policy data security breaches include both confirmed and suspected incidents.
This company-wide policy applies to all company information, regardless of format, and is applicable to all employees, contractors and data processors acting on behalf of Bidlogix.
Any individual who accesses, uses or manages the Bidlogix system is responsible for reporting actual, suspected, threatened or potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.
Bidlogix Management are responsible for ensuring that all employees act in compliance with this policy and assist with investigations as required.
Lead Responsible Officers
Lead responsible officers will be responsible for overseeing management of the breach in accordance with the Data Breach Management Plan. Suitable delegation may be appropriate in some circumstances.
In the event that the Incident Management Team need to be contacted, they can be contacted on 0845 056 1277 or at email@example.com.
Data security breaches will vary in impact and risk depending on the of the data involved, therefore it is important that the company is able to quickly identify the classification of the data and respond to all reported incidents in a timely and thorough manner. All reported incidents the appropriate data classification in order for assessment of risk to be conducted (See Section 7 for details). Data classification referred to in this policy means the following approved Data Categories:
Information intended for public use, or information which can be made public without any negative impact for the company.
Information regarding the day-to-day business of the company. Primarily for employees, though some information may be of interest to third parties who work with the company.
Information of a more sensitive nature for the business operations of the company, representing the basic intellectual capital and knowledge. Access should be limited to only those people that need to know as part of their role within the company.
Highly confidential Data:
Information that, if released, will cause significant damage to the company's business activities or reputation, or would lead to breach of the Data Protection Act. Access to this information should be highly restricted.
Data Security Breach Reporting
Confirmed or suspected data security breaches should be reported promptly to the Bidlogix Service Desk as the primary point of contact on 0845 056 1277, email: firstname.lastname@example.org. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved. For a list of the details to be included when reporting a data security breach please see Appendix 1.
Once a data breach has been reported an initial assessment will be made to establish the severity of the breach. A lead responsible officer will be assigned based on this assessment See Appendix 2.
All data security breaches will be centrally logged in the Service Desk tool to ensure appropriate visibility of the types and frequency of confirmed incidents for management and reporting purposes.
Data Breach Management Plan
The management response to any reported data security breach will involve the following four elements. See Appendix 3 for suggested checklist.
A. Containment and Recovery
B. Assessment of Risks
C. Consideration of Further Notification
D. Evaluation and Response
Each of these four elements will need to be conducted in accordance with the Data Breach Checklists (see Appendix 3) . All activities related to incident management will be recorded in Service Desk.
Employees, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
The Bidlogix Management team will monitor the effectiveness of this policy and carry out regular reviews of all reported breaches.
Information Security Incident Management Plan:
Please see our Information Security Incident Management Plan.
Appendix 1: Incident Reporting Details checklist
- Description of the Data Breach
- Time and Date breach was identified and by whom
- Who is reporting the breach (Name, Position, Department/Organisation)
- Contact details (Email & telephone)
- Classification of data breached (Public Data, Internal Data, Confidential Data, Highly Confidential Data)
- Volume of data involved
- Confirmed or suspected breach?
- Is the breach contained or ongoing?
- If ongoing what actions are being taken to recover the data
- Who has been informed of the breach?
- Any other relevant information
Appendix 2: Evaluation of Incident Severity
The severity of the incident will be assessed per the Information Security Incident Management Plan (by Bidlogix Management during office hours OR the Chief Executive Officer/Client Services Manager outside office hours). Assessment would be made based up on the following additional data breach-specific criteria:
Critical (Major Incident)
Lead Responsible Officer
Other relevant contacts
High (Serious Incident)
Lead Responsible Officer
Other relevant contacts
|Medium (Minor Incident)||Contact|
Lead Responsible Officer
Other relevant contacts
Appendix 3: Data Breach Checklists
Containment and Recovery
To contain any breach, to limit further damage as far as possible and to seek to recover any lost data
Lead Responsible Officer to ascertain the severity of the breach and determine if any personal data is involved
See Appendix 2 (and Information Security Incident Management Plan)
Lead Responsible Officer to share a copy of the data breach report with the Bidlogix Management team
To oversee full investigation and produce report. Ensure appropriate resources are assigned to incident. If personal data has been breached, assess and if necessary ensure communication is sent to relevant external parties
Identify the cause of the breach and whether the breach has been contained? Ensure that any possibility of further data loss is removed or mitigated as far as possible
Establish what steps can or need to be taken to contain the breach from further data loss. Contact all relevant parties who may be able to assist in this process. This may involve actions such as taking systems offline or restricting access to systems to a very small number of users until more is known about the incident.
Determine whether anything can be done to recover any losses and limit any damage that may be caused
E.g. physical recovery of data/equipment, or where data corrupted, through use of back-ups
Where appropriate, the Lead Responsible Officer to inform the police.
E.g. stolen property, fraudulent activity, offence under Computer Misuse Act.
Ensure all key actions and decisions are logged and recorded in Service Desk
Assessment of Risks
To identify and assess the ongoing risks that maybe associated with the breach.
What type of and volume of data is involved?
Data Classification/volume of individual data etc.
How sensitive is the data?
Sensitive personal data? By virtue of definition within Data Protection Act (e.g. health record) or sensitive because of what might happen if misused (banking details).
What has happened to the data?
E.g. if data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk
If the data was lost/stolen, were there any protections in place to prevent access/misuse?
E.g. encryption of data/device.
If the data was damaged/corrupted/lost, were there protections in place to mitigate the impact of the loss
E.g. back-up tapes/copies.
How many individual’s personal data are affected by the breach?
Who are the individuals whose has been compromised
Customers, bidders, staff, suppliers?
What could the data tell a third party about the individual? Could it be misused?
Consider this regardless of what has happened to the data. Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people.
Is there actual/potential harm that could come to any individuals?
E.g. are there risks to:
Are there wider consequences to consider?
E.g. a risk to public health or loss of public confidence in an important service we provide?
Are there others who might advise on risks/courses of action?
E.g. if individual’s bank details have been lost, consider contacting the banks themselves for advise on anything they can do to help you prevent fraudulent use.
Consideration of Further Notification
Notification is to enable individuals who may have been affected to take steps to protect themselves or allow the regulatory bodies to perform their functions
Are there legal, contractual or regulatory requirements to notify?
E.g. regulations, contractual obligations.
Can notification help Bidlogix meet its security obligations under the Data Proction Act/General Data Protection Regulation (GDPR)
E.g. prevent any unauthorised access, use or damage to the information or loss of it.
Can notification help the individual?
Could individuals act on the information provided to mitigate risks (e.g. by changing a password or monitoring their account)?
If a large number of people are affected, or there are very serious consequences, inform the Information Commissioner’s Office
Contact and liaise with the Chief Executive Officer and legal counsel as appropriate
Consider the dangers of ‘over notifying’.
Not every incident will warrant notification and ‘and notifying a whole 2 million strong customer base of an issue only affecting 2000 customers may well cause disproportionate enquiries and work’.
Consider whom to notify, what you will tell them and how you will communicate the message.
Consult the ICO guidance on when and how to notify it about breaches.
Consider, as necessary, the need to notify any third parties who can assist in helping or mitigating the impact on individuals.
E.g. police, insurers, professional bodies, funders, website/system owners, bank/credit card companies.
Evaluation and Response
To evaluate the effectiveness of the organisation’s response to the breach.
Establish where any present or future risks lie.
Consider the data and contexts involved.
E.g. what data is held, its extent, sensitivity, where and how it is stored, how long it is kept.
Consider and identify any weak points in existing security measures and procedures.
E.g. in relation to methods of storage and/or transmission, use of storage devices, levels of access, systems/network protections.
Consider and identify any weak points in levels of security awareness/training.
Fill any gaps through training or tailored advise.
Report on findings and implement recommendations.
Report to the Bidlogix management team.