Security Breach: Action Guide for Freelancers
When to report a security breach? It is an increasingly common question within the self-employed and small business sectors because its incidence rate has increased considerably in recent years.
These types of incidents have increased by 23% in the last year. The Current Status Report on Corporate Mobile Data Security in Spain, developed by Kingston Technology, reveals that 1 in 10 companies has been the victim of this attack on at least five occasions.
In addition, this trend is expected to continue to rise over the next few years because an increase in teleworking is also expected. It is essential to acquire resources to prevent and treat this type of vulnerability, especially in the case of all those freelancers who carry out their activities online.
- What is a security breach?
- How should freelancers respond to a security breach?
- Types of security breaches: Identify which one you have suffered
- Action plan: response methods and notifications
- Submission deadline
- Processing of notifications due to information breaches
- Analysis and implementation of improvement measures
- Related articles
What is a security breach?
Surely you are wondering what a security breach is and what it consists of. According to the GDPR, this is a type of online security incident.
We understand a security incident as any unforeseen or unwanted event that results in some loss or damage to network users.
Security incidents generate vulnerabilities in information systems. Its adverse effects can compromise the safety of users and security systems.
Information breaches (one of the most common are security breaches) are generally associated with personal data security breaches. You can discover these violations in its destruction, loss or alteration through unauthorized access.
How should freelancers respond to a security breach?
It is essential to determine the scope of the incident and diagnose the damage it may have caused to act in the event of a security breach. It is usually carried out by a “forensic analysis” of the system or specific files such as .log files that can provide information about what could have happened.
An accurate assessment of the compromised systems will be essential before initiating any action plan to treat the damage and classify the incident.
Types of security breaches: Identify which one you have suffered
Different security breaches depend on how they are generated and their consequences.
That one occurs when information is accessed by unauthorized outside agents, often for fraudulent purposes. As you can imagine, confidentiality breaches can reach different levels of data access and danger.
The seriousness of the breach will depend on the number of accesses that have occurred or the level of disclosure that the exposed information may have reached.
In this case, there is an unauthorized intrusion and manipulation of the original information for illegitimate purposes. Integrity breaches are an added risk because the manipulation and use of private information can damage affected users severely.
Illegitimate access to protected information can block access to it by authorized sources.
When the original data disappears, an information leak can occur:
- Permanent – when it is irreversible, and you cannot recover the affected data.
- Temporary – when you cannot recover it until a specific time has elapsed.
Action plan: response methods and notifications
After locating the incident and identifying its type, you must carry out a more precise and in-depth analysis that allows you to find out what the modus operandi was and at what point in your information system the incident occurred.
In addition, you should also assess the extent of the damage caused. Depending on this type of information, you can take adapted response measures.
The next step will be to start a two-way notification process. If personal data has been compromised with the vulnerability, you must formalize a notification to the competent control authority.
On the other hand, the incident must be brought to the attention of the affected users, complying with the GDPR regulations.
When to report a security breach?
The General Data Protection Regulation specifies the obligation to notify the competent Control Authority. An additional provision must be complied with if the affected company or organization works with the personal data of third parties.
Suppose the information breach exposes the owners of said data to severe or moderately serious risks. In that case, you must extend the notification procedure to them too.
In other words, you must inform the competent Control Authority and the users who may be affected by the incident. Both notifications must take place so that victims can also take their own protective measures to safeguard their safety.
You should know that there is a deadline. You must notify the Control Authority within a maximum of 72 hours from the detection of the breach.
What happens if you don’t show up within the deadline?
According to the RGPD, you should carry out the first notification within a maximum of 72 hours after the detection of the incident. In addition, at the time that said notification is completed, the person in charge must inform if it will provide additional information with a posteriori.
However, suppose you don’t make the initial notification within 72 hours. In that case, you must justify the delay at the time of its presentation with the reasons that caused it.
The notifications must be carried out and registered by the person in charge of the company or the management of personal data in compliance with the regulations.
Processing of notifications due to information breaches
You should make the notification of a security breach by filling in a specific form that you can locate within the Electronic Headquarters of the Spanish Agency for Data Protection.
The processing of notifications is carried out based on a specific communication model in which you must provide information regarding:
- You must provide personal and contact information, as well as the person responsible for the treatment or management of the violated information, if there is one.
- In addition, you must specify if it is a partial notification (complementary to a previous notification).
You will need to provide information relevant to the incident.
- On what date and time did you detect the security breach?
- When has it occurred?
- How long has it been produced?
- In what context has it taken place?
You must provide all the information that is within your reach, defining the type of intrusion that has occurred as much as possible as well as the circumstances in which it has occurred (theft, loss…).
Information on the compromised personal data
Some of the information that you must provide at this level are:
- The type of personal data and records affected.
- The category and number of affected users.
- The adopted techniques or actions before the incident.
- The potential consequences of the incident.
Analysis and implementation of improvement measures
The self-employed group is especially vulnerable to this type of threat. That’s mainly because they have less robust protection systems than large companies and, often, less knowledge to deal with their incidence.
For that reason, it is crucial to bear in mind that this type of notification is aimed at an obligatory exercise of reflection.
Suppose you have suffered this type of aggression. In that case, it is vital to consider the scope of its consequences, evaluate the available measures, and conduct a study to identify what technical resources you could implement to prevent its recurrence.