Skip to content

Hecatomb in your data: do you know what to do?


Mark Evans and John Salloum. Sources: LinkedIn and Osler website

There are two types of companies: those who have been the target of a security breach and whose data has been compromised… and those who are unaware that they have been victims of such a leak.

In the latter case, the data leak can last up to 9 months before being discovered, and plugged, indicates Mark Evansdirector of sales at ActiveNav, an American company specializing in data protection.

“The cost of an incident where the data is compromised is up to 10 times higher than the cost of its prevention”, adds for his part John Sallouma partner at Osler in the Privacy and Information Management group.

Both were leading a seminar on data breaches and information governance at the latest conference of the Canadian Association of Corporate Counsel (CCCA), which Droit-Inc attended last May.

“Do you know if your company has a protocol to follow when data security is compromised? And, above all, is this protocol up to date? asks John Salloum, noting that far too many corporate legal departments don’t have a clear governance policy around data management.

The ingredients of risk management

Managing the risks posed by the lack of security in the production, use and management of data requires having an overview of the situation, explains Mark Evans.

“This requires an operational framework. This framework is based on four major axes, which will constitute the pillars on which a risk management policy will be based. »

The structure : This is the organization chart of data management people and departments. Who is responsible for what, when, and in what situations?

The idea is to map the different parties involved and identify the needs and gaps in the organization to implement risk management.

The strategy : plan a strategy, which allows you to know where you are and to determine what is missing in order to have a data management policy and an incident management protocol.

Knowledge inventory : taking stock of the technical and operational knowledge of each of the parties involved in risk management is also essential: too often, a company integrates a new technology without really knowing the skills to take advantage of it, which undermines risk management .

“We want people to know how to use the information and the tools needed to generate it in the right way, in order to manage risk upstream,” continues John Salloum.

The tools : be familiar with the system by which data is generated and accumulated: electronic evidence management tools, office suites, databases, cloud computing, everyone in the chain must know how utilize.

The processes to put in place

Data inventory : detail where they come from and where they go, how they are kept, etc. In the cacophony of the many regulatory requirements that apply, and vary according to the type of data collected, having a clear and detailed mapping of the inputs and outputs of all the data used by the company is crucial.

Data destruction process : it is also necessary to know when and how to get rid of the data. “Accumulating data is very easy but this accumulation increases the risk of data being stolen or misplaced,” according to John Salloum.

Follow-up and review : In addition, reviewing and monitoring updates to tools and protection systems is obviously a key procedure in risk management.

Continuous review : These processes must also be continuously reviewed in order to adapt them to new situations and emerging risks.

Prepare for an incident

“Deploying a strategy to manage an incident should not be done in the heat of the moment,” says John Salloum.

Who? Communications, IT, legal, and management should participate in a response team, especially since the data breach could force the company to make a business decision.

What? Having a good understanding of the affected data is not enough. You need an action plan. How do we handle the problem? Who will inform customers, and with what information? Where do the final decisions come from? These are the kinds of details you need to know before an emergency.

An internal and external communication plan is of course necessary.

How? But it is also necessary to make simulations of situation. How do you handle a really unhappy customer? What if a manager starts micromanaging everyone? This is the kind of scenario that you have to be able to anticipate, because anything can happen: data theft by an employee is not managed in the same way as a cyberattack.

Preparation : In addition, carrying out simulations of incidents and preparation exercises makes it possible to identify shortcomings.

Respond to disaster

The disaster occurs? The first thing to do is to stem the leak and seal the breach. Stop the damage first and foremost.

It is then that we must assess the risks—and the damages—that may result from the incident. Were financial information or personal customer data stolen? “Knowing from the outset what is going on will condition subsequent actions”, explains John Salloum.

It will then be necessary to inform the interlocutors of the company: the regulatory authorities, the customers, the suppliers… and to do this, it is necessary to be able to explain what happened, what was done to contain the situation, and what affected parties can do their part to mitigate the risk posed by the data leak.

Finally, the aftermath of a data leak alert should give rise to feedback on the event: what went wrong? Were there any gaps in response or preparation?

And finally, what steps need to be taken for the future?


Leave a Reply

Your email address will not be published.