1. Introduction

A data breach involving sensitive client data, such as login credentials, personal information, or payment details, requires a clear and compliant notification process.

2. Incident Identification and Assessment

• Determine if a true data breach has occurred, such as unauthorised access, exfiltration, or exposure of sensitive data.
• Evaluate the impact of the breach on client data. Classify the breach based on severity (minor, moderate, or significant).

3. Containment and Eradication

• Immediately isolate systems to prevent further exposure.
• Remove unauthorised access, patch vulnerabilities, and secure affected systems.

4. Notification of Affected Clients

• Notify affected clients as soon as the breach is confirmed, within 48 to 72 hours of discovery.
• By email, followed by follow-up calls for critical clients or if requested.
• Describe the breach and what data was affected.
• Outline actions taken to address the breach (e.g., containment, eradication, system restoration).
• Advise clients on what they should do to protect themselves (e.g., change passwords, monitor accounts for unusual activity).
• Provide contact details for client support and inquiries.

5. Regulatory Reporting

• Report the breach to the ICO within the mandated timeframe (typically 72 hours).
• Provide full details of the breach, including:
• Nature of the breach.
• Type of data affected.
• Number of individuals affected.
• Measures taken to address the breach.
• Measures taken to prevent future incidents.

6. Ongoing Client Support

• Offer clients assistance with securing their accounts, including password resets, identity theft monitoring services, or direct support for additional actions.
• Provide ongoing communication to ensure clients are fully informed of any updates or developments regarding the breach.
• Conduct a thorough investigation of the breach’s root cause, the extent of the damage, and the effectiveness of the response.
• Provide affected clients with a full post-breach report, including an explanation of how the breach occurred, steps taken to address it, and any security measures introduced to prevent recurrence.
• Identify and implement corrective actions to prevent future breaches, such as enhanced encryption, multi-factor authentication, or better access control.

7. Documents

This document must be read in conjunction with, and forms part of the complete The Agency’s policies and agreements:

• Your Project Proposal
• Your Client Agreement
• Our Terms & Conditions
• Our Operating System & Browser Policy
• This Secure Password Policy
• Our Information Security Policy
• Our Service Level Agreement
• Our UK GDPR Policy

This document was last updated in December 2024