Home HUB Info Centre Data Breach Response Policy

Data Breach Response Policy

1. Scope

This policy applies to all employees, contractors, and third-party vendors associated with MPSWORKS Ltd t/a HUB who manage or have access to personal data and other sensitive information across the agency’s portfolio of websites. It covers all types of data breaches across these properties, including unauthorized access, theft, loss, disclosure, or compromise of personal data stored or processed by any of the websites managed by HUB.

2. Definition of Data Breach

A data breach refers to any incident across any of the websites managed by HUB that results in:

  • Unauthorized access to, or disclosure of, personal or sensitive data.
  • Loss or theft of data or devices containing website data.
  • Accidental or unlawful destruction, loss, alteration, or disclosure of personal data.
  • Any unauthorized action that compromises the confidentiality, integrity, or availability of the data associated with any managed website.

3. Key Roles and Responsibilities

  • Data Protection Officer (DPO): Oversees the data breach response across all websites managed by HUB, including reporting breaches to authorities and communicating with affected website owners and users.
  • Incident Response Team (IRT): Responsible for coordinating the technical, legal, and communication response for breaches across the agency’s digital properties. This team includes members from IT, Legal, HR, and Communications departments.
  • Website Managers: Responsible for working with the IRT to provide detailed information about the affected website(s), systems, and user data, and for coordinating remediation efforts on the affected properties.
  • Third-Party Vendors: Required to report any breaches that affect the agency’s websites within 24 hours and assist in breach response efforts.

4. Breach Detection and Reporting

  1. Immediate Reporting:

    • Any employee, contractor, or website manager who suspects or discovers a breach on any of the agency-managed websites must immediately report the incident to the DPO or Incident Response Team.
    • Third-party vendors must notify MPSWORKS Ltd t/a HUB within 24 hours of detecting a breach involving any website they manage or provide services for.

  2. Initial Assessment:

    • The Incident Response Team, in collaboration with the website manager(s) of the affected site(s), will conduct an initial assessment to determine the nature and scope of the breach, classify its severity, and assess the impact on users and data across multiple websites if necessary.

MPSWORKS Ltd t/a HUB, in specific circumstances, will initially follow the guide to assessing a data breach stipulated by the ICO on the following link:

https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/

5. Breach Response Plan

Stage 1: Containment and Mitigation

  • Upon detection of a breach, the Incident Response Team, along with the relevant website manager(s), will take immediate steps to contain the breach. These steps may include:
    • Isolating the affected websites, applications, or servers.
    • Disabling compromised accounts or access points.
    • Implementing security measures to prevent further unauthorized access across all potentially affected sites.

Stage 2: Risk Assessment

  • Determine the nature of the breach and the type of data involved (e.g., user personal information, financial data, or sensitive content).
  • Assess the potential impact on the users of the affected websites and across any interconnected websites within the agency’s portfolio.
  • Identify affected websites, their users, and any third-party services involved.

Stage 3: Notification

  • Internal Notification: Notify key stakeholders within the agency, including website managers, senior management, and legal counsel.
  • External Notification:
    • Notify the owners or managers of the affected websites.
    • Notify affected users across the relevant websites, informing them of the breach, actions taken, and steps they can take to protect themselves.
    • Notify regulatory authorities within the required timeframes (e.g., within 72 hours under GDPR or other applicable laws).
    • If the breach poses a high risk to individuals, notify them directly with appropriate guidance (e.g., password changes, monitoring for suspicious activity).

Stage 4: Investigation

  • Conduct a thorough investigation across the affected websites to determine the root cause of the breach.
  • Document findings, the extent of the damage, and how the breach occurred, including:
    • When and how the breach was discovered.
    • The types of data involved across the affected websites.
    • The systems or applications that were impacted.
    • The steps taken to contain and address the breach.

Stage 5: Remediation

  • Apply security patches or updates to resolve vulnerabilities across affected websites.
  • Strengthen security controls across MPSWORKS Ltd t/a HUB’s entire portfolio of websites (e.g., enhanced encryption, multi-factor authentication, etc.).
  • Review and update internal processes, including breach detection and incident response plans for each website.
  • Conduct training for staff and website managers on updated security measures and procedures.

7. Breach Notification Guidelines

  • Notifications to affected users of the impacted websites will include:

    • A description of the breach and its impact on the specific website.
    • The types of personal information involved.
    • Steps taken by MPSWORKS Ltd t/a HUB to address the breach across the affected websites.
    • Recommendations for users, such as changing passwords or monitoring their accounts.
    • Contact information for further assistance.
  • Notifications to regulatory authorities will include:

    • A detailed description of the breach, its impact on affected websites, and the number of affected users.
    • Steps taken to mitigate the breach and prevent future occurrences.
    • Contact information for follow-up inquiries.

8. Post Breach Review

  • After a breach is resolved, a Post-Incident Review will be conducted to evaluate the response and identify any areas for improvement. This review will cover:
    • The effectiveness of the breach response on the affected website(s).
    • Communication with stakeholders and users.
    • Lessons learned from the incident.
  • The Data Breach Response Plan, as well as security measures across the entire portfolio of websites managed by MPSWORKS Ltd t/a HUB, will be updated as needed.

9. Compliance and Legal Considerations

MPSWORKS Ltd t/a HUB is committed to complying with all applicable data protection laws, including:

  • General Data Protection Regulation (GDPR).
  • California Consumer Privacy Act (CCPA).
  • Any other relevant local, national, or international data protection regulations that apply to the websites managed by MPSWORKS Ltd t/a HUB.

Failure to adhere to this policy may result in disciplinary action for employees and contract termination for third-party vendors.

10. Regular Testing and Review

  • This policy will be reviewed annually to ensure it remains effective and compliant with evolving data protection laws and regulations.
  • MPSWORKS Ltd t/a HUB will conduct regular breach simulations and training exercises for staff, website managers, and third-party vendors to ensure preparedness across its digital properties.

Latest Story

Artificial Headshots

Over the last few weeks, I have used a headshot I have had generated by AI as my LinkedIn avatar. I have received several comments, the most pertinent being, ‘Is that you Mike?’. Clearly not.

Contact

HUB
124 City Road
London EC1V 2NX

 

hello@hub.london