Data breaches have been in the news a lot lately. From cyberattacks to accidental and deliberate disclosures, data breaches are hitting the headlines more and more. They are a very real risk to organisations and, depending on their severity, can be catastrophic.  

What is a data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

They can be internal or external, large or small, reportable or non-reportable, and they happen all the time. The ones I typically help clients work through include:

• Someone forgetting to BCC.
• Someone sending something to someone they shouldn’t have.
• Someone overwriting a master template instead of saving a copy. The personal data now included on the master template goes unnoticed by the next person to use the template and is inadvertently shared with a third-party.
• Someone using the wrong exclusions or forgetting to include exclusions when pulling a direct marketing list.
• Someone’s device being lost/stolen.
• Paper records going missing.
• Someone falling for a phishing attack.

Mistakes happen. We’re all human. If I could get organisations to do one thing it would be to create a culture where when people mess up (because people do), they recognise it, own up to it, and then learn from their mistake. The same goes for the organisation itself, did their existing policies and processes work or could they be improved? Is a new policy or process needed? Every data breach should be reported, recorded, and learned from. What can you do to make sure it doesn’t happen again? 

Newsround…

I’m going to take a look at some breaches that have occurred in the arts and cultural sector.

The first is WordFly, which I’ve written about before. Back in summer 2022, WordFly announced they had been breached but at the time they couldn’t say which of their users’ data had been caught up in it. A period of uncertainty followed, during which it transpired that any personal data that had ever been uploaded to WordFly was at risk. Apparently, they, WordFly, never deleted anything. Ever. They do now! From January this year, they implemented a very welcome retention policy as well as 2-factor authentication. It’s taken them a while but it’s good to know that they’re no longer keeping data forever.

In December 2022, the New York Metropolitan Opera was the victim of a cyberattack that compromised the personal information of over 45,000 employees and patrons. The personal data breached included full name, financial information, social security number, driver’s licence number, as well as full payment card details. The data later appeared on the dark web, prompting a class action lawsuit. The breach also knocked out the Met’s box office making it impossible to sell, exchange or refund tickets for over five days. It also took out their payroll system forcing them to manually write and issue cheques for some of their 3,000+ employees.

More recently, in October 2023 the British Library was also the victim of a cyberattack which saw their customer and employee data stolen. At the time the Library said  “The outage is affecting our website, online systems and services, as well as some onsite services including our reading rooms and public wifi. We anticipate restoring many services in the next few weeks, but some disruption may persist for longer.” Their website was down for almost a month. After refusing to pay the £600,000 ransom, the hackers released over 500,000 records on the dark web. The British Library are still dealing with it.

And outside the cultural sector, there’s been:

• The ‘Mother of all Breaches’ with 26 BILLION records leaked from Dropbox, LinkedIn, and X
• David Walliams sued and eventually settled with Britain’s Got Talent producers Fremantle, after his personal data (derogatory comments about contestants) was leaked.
• Just this week, Southern Water has said 5-10% of their customer data has been stole in a cyberattack.

So, what can you do?

First of all plan for one. A few years ago, organisations would talk about what they would do “if” they got breached, now it’s “when”. To make your life easier when the time comes, you need:

• A clearly identified person / contact to report any data breaches to.
• An internal breach reporting form that guides staff on what information to collect when they spot one. This will help your data protection lead to respond to the situation more quickly as they’ll have the facts ready to hand.
• A data breach register – you should record all breaches, whether they are reportable or not. This is a key requirement of the transparency and accountability principles.
• A data breach policy that details how the organisation will assess the risks of any data breach and what they will do depending on the outcome of the risk assessment.
• Train your staff. Everyone needs to be able to recognise a data breach. A few key people in the organisation will also need to know what to do once one has been recognised and reported.

And, while we’re on the topic of training, providing cybersecurity training to staff is a proactive and crucial investment. It helps you to mitigate risks, protect assets, and foster a culture of cybersecurity awareness.

And outside the cultural sector, there’s been

1. Don’t panic.
2. Start the timer – if you do decide to report the breach to the Information Commissioner’s Office (ICO), you have 72 hours, and the clock has started ticking.
3. Gather the facts – What kind of breach was it – digital or paper? What types of data did it involve? Does the data affected include data of under 18s?  How many people are potentially affected? What happened?
4. Try to contain it – for example, if you’ve accidentally shared something with someone you shouldn’t have, call them and ask them to delete it. If your laptop has been lost or stolen, let IT know asap so they can remotely wipe it.
5. Tell your organisation’s data protection lead – they will use the information you’ve gathered to assess the risk, decide if any further action is needed, and determine whether to report it to the ICO. They will also log a summary of the breach internally on your organisation’s register.

Remember, the sooner you spot and report a data breach the better. And, if you’re not sure if a breach is reportable or not, you can always use the ICO’s self-assessment tool to help you decide.

Kate Fitzgerald Consulting Limited offers a range of data protection support for arts and cultural organisations. From regular retainer support to documentation reviews and staff training, we can support you with our data protection needs. If you would like a chat to discuss any needs you may have, do get in touch – we’d love to hear from you.