Background

Data security breaches are increasingly common occurrences whether these are caused through human error or via malicious intent. As technology trends change and the creation of data and information grows, there are more emerging ways by which data can be breached. This document therefore outlines Bidlogix’s robust and systematic process for responding to any reported data security breach, to ensure it can act responsibly and protect its information assets as far as possible.


Aim

The aim of this policy is to standardise the company-wide response to any reported data breach incident, and ensure that they are appropriately logged and managed in accordance with generally accepted best practice guidelines. Adopting a standardised consistent approach to all reported incidents aims to ensure that:


- Incidents are reported in a timely manner and can be properly investigated

- Incidents are handled by appropriately authorised and skilled personnel

- Appropriate levels of management are involved in response management

- Incidents are recorded and documented

- The impact of  each incident is understood and action is taken to prevent further damage

- Evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny

- External bodies or data subjects are informed as required

- The incidents are dealt with in a timely manner and normal operations restored

- The incidents are reviewed to identify improvements in policies and procedures

- Gathered evidence can be used to plan and take preventative action against future breeches.


Definition

A data security breach is considered to be “any loss of, or unauthorised access to, Bidlogix hosted data”. Examples of data security breaches may include, but are not limited to:


- Loss or theft of data or equipment on which data is stored

- Unauthorised access to confidential or highly confidential Bidlogix Data

- Equipment failure

- Human error

- Unforeseen circumstances such as a fire or flood

- Hacking attack

- ‘Blagging’ offences where information is obtained by deceit


For the purposes of this policy data security breaches include both confirmed and suspected incidents.


Scope

This company-wide policy applies to all company information, regardless of format, and is applicable to all employees, contractors and data processors acting on behalf of Bidlogix.

Responsibilities

Information users

Any individual who accesses, uses or manages the Bidlogix system is responsible for reporting actual, suspected, threatened or potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.

Bidlogix Management

Bidlogix Management are responsible for ensuring that all employees act in compliance with this policy and assist with investigations as required.

Lead Responsible Officers

Lead responsible officers will be responsible for overseeing management of the breach in accordance with the Data Breach Management Plan. Suitable delegation may be appropriate in some circumstances.

Contact Details

In the event that the Incident Management Team need to be contacted, they can be contacted on 0845 056 1277 or at support@bidlogix.net.  


Data Classification

Data security breaches will vary in impact and risk depending on the of the data involved, therefore it is important that the company is able to quickly identify the classification of the data and respond to all reported incidents in a timely and thorough manner. All reported incidents the appropriate data classification in order for assessment of risk to be conducted (See Section 7 for details). Data classification referred to in this policy means the following approved Data Categories:

Public Data:

Information intended for public use, or information which can be made public without any negative impact for the company.

Internal Data:

Information regarding the day-to-day business of the company. Primarily for employees, though some information may be of interest to third parties who work with the company.

Confidential Data:

Information of a more sensitive nature for the business operations of the company, representing the basic intellectual capital and knowledge. Access should be limited to only those people that need to know as part of their role within the company.

Highly confidential Data:

Information that, if released, will cause significant damage to the company's business activities or reputation, or would lead to breach of the Data Protection Act. Access to this information should be highly restricted.

Data Security Breach Reporting

Confirmed or suspected data security breaches should be reported promptly to the Bidlogix Service Desk as the primary point of contact on 0845 056 1277, email: support@bidlogix.net. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved. For a list of the details to be included when reporting a data security breach please see Appendix 1.


Once a data breach has been reported an initial assessment will be made to establish the severity of the breach. A lead responsible officer will be assigned based on this assessment See Appendix 2.


All data security breaches will be centrally logged in the Service Desk tool to ensure appropriate visibility of the types and frequency of confirmed incidents for management and reporting purposes.

Data Breach Management Plan

The management response to any reported data security breach will involve the following four elements. See Appendix 3 for suggested checklist.


A. Containment and Recovery

B. Assessment of Risks

C. Consideration of Further Notification

D. Evaluation and Response


Each of these four elements will need to be conducted in accordance with the Data Breach Checklists (see Appendix 3) . All activities related to incident management will be recorded in Service Desk.

Authority

Employees, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

Review

The Bidlogix Management team will monitor the effectiveness of this policy and carry out regular reviews of all reported breaches.

References

Information Commissioner:

https://ico.org.uk/


Information Security Incident Management Plan:

Please see our Information Security Incident Management Plan. 


Appendix 1: Incident Reporting Details checklist

  • Description of the Data Breach
  • Time and Date breach was identified and by whom
  • Who is reporting the breach (Name, Position, Department/Organisation)
  • Contact details (Email & telephone)
  • Classification of data breached (Public Data, Internal Data, Confidential Data, Highly Confidential Data)
  • Volume of data involved
  • Confirmed or suspected breach?
  • Is the breach contained or ongoing?
  • If ongoing what actions are being taken to recover the data
  • Who has been informed of the breach?
  • Any other relevant information


Appendix 2: Evaluation of Incident Severity

The severity of the incident will be assessed per the Information Security Incident Management Plan (by Bidlogix Management during office hours OR the Chief Executive Officer/Client Services Manager outside office hours). Assessment would be made based up on the following additional data breach-specific criteria:


Critical (Major Incident)

Contact

  • Highly Confidential/Confidential Data
  • Personal data breach involves > 1000 individuals
  • External third party data involved
  • Significant or irreversible consequences
  • Possible media coverage
  • Immediate response required regardless of whether it is contained or not
  • Requires significant response beyond normal operating procedures

Lead Responsible Officer

  • Chief Executive Officer


Other relevant contacts

  • Bidlogix management team
  • Contact external third parties as required i.e. affected customer(s), police, ICO, individuals impacted

High (Serious Incident)

Contact

  • Confidential data
  • Not contained within Bidlogix
  • Involves personal data breach of > 100 individuals
  • Significant inconvenience will be experienced by individuals impacted
  • Incident may not yet be contained
  • Incident does not require immediate response
  • Incident response may require notification to Chief Executive Officer

Lead Responsible Officer

  • Client Services Manager


Other relevant contacts

  • Bidlogix management team
  • Contact external third parties as required i.e. affected customer(s), police, ICO, individuals impacted
Medium (Minor Incident)Contact
  • Internal or Confidential Data
  • Small number of individuals involved
  • Risk to Bidlogix low
  • Inconvenience may be suffered by individuals impacted
  • Loss of data is contained/encrypted
  • Incident can be responded to during working hours

Lead Responsible Officer

  • Training & Support Officer


Other relevant contacts

  • Bidlogix management team
  • Contact external third parties as required i.e. affected customer(s), police, ICO, individuals impacted

Appendix 3: Data Breach Checklists


Step

Action

Notes

A

Containment and Recovery

To contain any breach, to limit further damage as far as possible and to seek to recover any lost data

1

Lead Responsible Officer to ascertain the severity of the breach and determine if any personal data is involved

See Appendix 2 (and Information Security Incident Management Plan)

2

Lead Responsible Officer to share a copy of the data breach report with the Bidlogix Management team

To oversee full investigation and produce report. Ensure appropriate resources are assigned to incident. If personal data has been breached, assess and if necessary ensure communication is sent to relevant external parties

3

Identify the cause of the breach and whether the breach has been contained? Ensure that any possibility of further data loss is removed or mitigated as far as possible

Establish what steps can or need to be taken to contain the breach from further data loss. Contact all relevant parties who may be able to assist in this process. This may involve actions such as taking systems offline or restricting access to systems to a very small number of users until more is known about the incident.

4

Determine whether anything can be done to recover any losses and limit any damage that may be caused

E.g. physical recovery of data/equipment, or where data corrupted, through use of back-ups

5

Where appropriate, the Lead Responsible Officer to inform the police.

E.g. stolen property, fraudulent activity, offence under Computer Misuse Act.

6

Ensure all key actions and decisions are logged and recorded in Service Desk





B

Assessment of Risks

To identify and assess the ongoing risks that maybe associated with the breach.

7

What type of and volume of data is involved?

Data Classification/volume of individual data etc.

8

How sensitive is the data?

Sensitive personal data? By virtue of definition within Data Protection Act (e.g. health record) or sensitive because of what might happen if misused (banking details).

9

What has happened to the data?

E.g. if data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk

10

If the data was lost/stolen, were there any protections in place to prevent access/misuse?

E.g. encryption of data/device.

11

If the data was damaged/corrupted/lost, were there protections in place to mitigate the impact of the loss

E.g. back-up tapes/copies.

12

How many individual’s personal data are affected by the breach?


13

Who are the individuals whose has been compromised

Customers, bidders, staff, suppliers?

14

What could the data tell a third party  about the individual? Could it be misused?

Consider this regardless of what has happened to the data. Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people.

15

Is there actual/potential harm that could come to any individuals?

E.g. are there risks to:

  • Physical safety
  • Emotional wellbeing
  • Reputation
  • Finances
  • Identify (theft/fraud from release of non-public identifiers)
  • Or a combination of these and other private aspects of their life?

16

Are there wider consequences to consider?

E.g. a risk to public health or loss of public confidence in an important service we provide?

17

Are there others who might advise on risks/courses of action?

E.g. if individual’s bank details have been lost, consider contacting the banks themselves for advise on anything they can do to help you prevent fraudulent use.




C

Consideration of Further Notification

 Notification is to enable individuals who may have been affected to take steps to protect themselves or allow the regulatory bodies to perform their functions

18

Are there legal, contractual or regulatory requirements to notify?

E.g. regulations, contractual obligations.

19

Can notification help Bidlogix meet its security obligations under the Data Proction Act/General Data Protection Regulation (GDPR)

E.g. prevent any unauthorised access, use or damage to the information or loss of it.

20

Can notification help the individual?

Could individuals act on the information provided to mitigate risks (e.g. by changing a password or monitoring their account)?

21

If a large number of people are affected, or there are very serious consequences, inform the Information Commissioner’s Office

Contact and liaise with the Chief Executive Officer and legal counsel as appropriate

22

Consider the dangers of ‘over notifying’.

Not every incident will warrant notification and ‘and notifying a whole 2 million strong customer base of an issue only affecting 2000 customers may well cause disproportionate enquiries and work’.

23

Consider whom to notify, what you will tell them and how you will communicate the message.

  • There are a number of different ways to notify those affected so consider using the most appropriate one. Always bear in mind the security of the medium as well as the urgency of the situation.
  • Include a description of how and when the breach occurred and what data was involved. Include details of what has already been done to respond to the risks posed by the breach.
  • When notifying individuals give specific and clear advise on the steps they can take to protect themselves and also what the organisation is willing to do to help  them.
  • Provide a way in which they can contact us for further information or to ask questions about has occurred (e.g. a contact name, helpline number or a web page)

24

Consult the ICO guidance on when and how to notify it about breaches.

https://ico.org.uk/

25

Consider, as necessary, the need to notify any third parties who can assist in helping or mitigating the impact on individuals.

E.g. police, insurers, professional bodies, funders, website/system owners, bank/credit card companies.




D

Evaluation and Response

To evaluate the effectiveness of the organisation’s response to the breach.

26

Establish where any present or future risks lie.


27

Consider the data and contexts involved.

E.g. what data is held, its extent, sensitivity, where and how it is stored, how long it is kept.

28

Consider and identify any weak points in existing security measures and procedures.

E.g. in relation to methods of storage and/or transmission, use of storage devices, levels of access, systems/network protections.

29

Consider and identify any weak points in levels of security awareness/training.

Fill any gaps through training or tailored advise.

30

Report on findings and implement recommendations.

Report to the Bidlogix management team.