‘Data breach’ are two words that no organisation ever wants to hear. However, every organisation is at risk of one. No one is completely immune, and so it is important that we reflect on them when they do happen. This is the purpose of this blogpost for the CDRN from Kate Fitzgerald.
I am going to start this blogpost with my usual caveat – I AM NOT A LAWYER. Nor am I a Data Protection Officer (DPO). I am simply a consultant who is very passionate about data privacy and protection.
Recently, WordFly – a digital messaging platform – reported an ongoing ‘network disruption’ which affected a lot of organisations within the arts sector. Very quickly, organisations began coming together to share what limited knowledge they had, discuss what approach they should take and what the next steps should be.
As it was an ongoing incident, for the first few days, there was very little information WordFly could share. On the 15 July they held a Town Hall online meeting where they confirmed:
- They had been subjected to a ransomware attack.
- Data had been exported from their environment and encrypted by a ‘bad actor.’
- The incident was ongoing, and it did involve personal data, but they could not offer any specifics i.e., how many users were affected, the scope of the data involved etc.
- ‘Personal data’ could potentially include any data imported into WordFly, as well as email templates, for as long as the user had been using the service i.e., WordFly do not delete any data (unless instructed).
- They had paid the ransom and had the decryption key and were in the process of restoring the data.
- They had no evidence that the data had been ‘misused’ i.e., leaked over the dark web, sent to any other public facing domain, or disseminated elsewhere.
- They did not know when service would resume.
WordFly is a US-based *Data Processor; they have no obligation to report to the Information Commissioner’s Office (ICO). Nor can they advise their users what to do in the event of a data breach – as the appropriate actions depend on each user’s own judicial laws and regulatory body.
WordFly users are **Data Controllers. Certainly, if they are UK-based, they should be registered with the ICO and already be adhering to data protection laws e.g., UK General Data Protection Regulation, the Data Protection Act 2018 etc.
Following the Town Hall there were three immediate considerations for UK-based organisations:
- Should they report to the ICO? They have 72-hour to report from becoming aware of the data breach (15 July)
- Should they inform their customers?
- How would they continue to communicate with customers in the meantime as WordFly service was still down?
Should the breach be reported to the ICO
Ultimately it was up to each affected organisation to decide what they felt was the most appropriate action. Organisations needed to assess what types of data had been uploaded to WordFly, how many data subjects were potentially affected etc., before deciding on whether to report. In a lot of cases, it was low-risk data i.e., names and email addresses, so it did not necessarily meet the ICO’s threshold for reporting. However, due to the scale of the breach (based on the knowledge at the time), a lot of organisations chose to report anyway. Typically, the ICO responded by asking to see what agreements were in place between the affected organisations and WordFly so that they could assess whether appropriate technical and security measures had been in place.
Should organisations inform customers
Again, this was a decision for each organisation. Some published statements on their websites, some proactively contacted customers, others decided to wait for more information from WordFly and the publication of the FAQs. It’s worth mentioning that following WordFly’s Town Hall, users were still no clearer as to whether their own data had been affected and if it had, to what extent. There was very little organisations could actually tell customers and most did not want to cause panic or undue stress.
How could organisations continue to contact customers in the meantime
With access to WordFly still down, organisations had to quickly figure out how best to continue to contact and engage with their customers. Many had service emails that needed to be sent e.g., pre-visit communications, weather warnings due to the heatwave etc. There was also the need to consider how to deliver marketing during the downtime. Organisations are still stretched post COVID – both in terms of staffing resources and budget – yet they had to quickly source and assess alternative digital message platforms to use as an interim service provider until WordFly service resumed.
What happened next?
On 29 July WordFly confirmed that a small subset of their users had personal data exported as part of the ransomware attack and that with the incident now closed, service was resuming. On 1 August WordFly sent their users one of two communication:
- One confirming the organisation’s data had not been affected by the ransomware attack
- Another confirming the organisation’s data had been affected by the ransomware attack
Typically, so long as relevant documentation was in place, organisations who did report to the ICO, were informed that there would be no further action, as reported in ArtsProfessional.
Timeline of Key Events
11 July – organisations notice WordFly service is down.
13 July – WordFly inform users it has been subject to a ransomware attack and that they have engaged Digital Forensic Experts to assist with the incident.
15 July – WordFly hold two Town Halls (European and North American) during which they confirm a personal data breach* though as the investigation is ongoing, they can offer no specifics. Attendees were asked to submit questions that would later be used to create a FAQs for organisations to refer to.
15 July – WordFly pay the ransom and have the decryption key.
19 July – WordFly publish the FAQs.
29 July – WordFly confirm only a small subset of their users had personal data exported during the attack, and service resumes.
1 August – ICO confirm they are taking no action against the arts industry.
1 August – WordFly inform users if their data has or has not been affected.
What to do in the event on a data breach
*On becoming aware of a data breach, you have a 72-hour window in which to report it to the ICO.
If you do have a data breach, here are some things you can do to help you manage and assess it:
- Have in place a Data Breach Policy i.e., a document clearly outlining what you need to do in the event of a data breach, as well as a Data Breach Process i.e., a form that you complete that helps you assess the data breach.
- Use the ICO’s Online Self-Assessment for Data Breaches.
- If you are still unsure, contact the ICO – you can do this by telephone or via live chat. They can help you assess if you need to report a breach and/or if there are any further steps you should take.
- Keep clear documentation of what happened and when, include a timeline of events, key points from any meetings attended and links to any documents shared. Again, if reporting, the ICO is going to want to know the details.
- Have in place a Data Breach Log where you record all data breaches, no matter how big or small, whether reportable or not. It is important you keep a record of breaches so that you can identify any weaknesses in process and take steps to rectify them. Documenting this helps demonstrate your accountability.
Other things to consider:
- Have in place a Data Processing Agreement (DPA) or a Data Sharing Agreement (DSA) with any third party you are sharing data with. If you are ever caught up in a breach, the ICO will want to see that documentation. It is vital you have clear agreements in place with third parties that state what data is being processed, for what purpose, how it will be stored and for how long.
- With regards to data processors, make sure you understand the third party’s Retention Policy. If the WordFly incident has taught us anything, it is that there is probably a lot more data hidden away than you think. If the third party’s privacy notice does not specify how long they will keep data, make sure you find out. And if they are keeping data indefinitely, put in place mechanisms or procedures that will allow you to regularly purge that data. Data minimisation is a key element of good data protection.
- Complete a Data Privacy Impact Assessment (DPIA) if you are assessing/implementing any new systems that will include personal data, or for projects involving sensitive or large amounts of personal data. A DPIA is a process designed to help you systematically analyse, identify, and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the UK GDPR, and when done properly helps you assess and demonstrate how you comply with all your data protection obligations. The ICO has a great DPIA Template you can use.
- Make sure your organisation has a Master Data Audit i.e., a document that pulls together details on all the personal data processed by the organisation. The document would typically include information such as: Record Type, Purpose Data Held, Category of Data, Types of Data, Legal Basis for Processing, Storage Information, File Security Information, Retention Period, plus various other information. The ICO has a Data Controller Template you can use. A Master Data Audit should be a live document that helps organisations to keep track of and manage the data they are processing. It is also an invaluable resource when it comes to writing or reviewing privacy notices.
- Make sure you follow through with your own organisation’s Retention Policy – compliance does not happen by itself. You need to book in ‘housekeeping’ days where you use the Master Data Audit to assess which files are older than the set retention period and deliver the appropriate action e.g., securely shred and dispose of paper files, erase digital files etc.
Whilst the past couple of weeks have been very stressful for a lot of organisations, it was great to see the industry pull together and work so collaboratively through this incident. As knowledge sharing and peer-learning is a key principle of the CDRN, we thought it would be useful to share this recent experience.
*Data Processors have to protect people’s personal data – but they only process it in the first place on behalf of the Data Controller. They wouldn’t have any reason to have the data if the Controller hadn’t asked them to do something with it.
**Data Controllers have the responsibility of deciding how personal data is processed and protecting it from harm. Controllers can delegate the processing of personal data to Data Processors, but the responsibility for keeping it safe will still rest with the controller.
About the Author
Kate Fitzgerald, Kate Fitzgerald Consulting Limited, is a consultant based in Manchester. Kate works across the UK with arts and cultural clients to provide data privacy and protection support, data services, as well as audience research and insights. An experienced Arts Insights professional, with over 20 years’ experience, Kate has a proven track record of devising and delivering data-driven projects.