Breach Notification Policy

No-one wants a data breach: It’s a gut-wrenching experience filled with dread

Let’s be clear; since GDPR in May of this year companies have new found and onerous responsibilities to deal quickly, openly and honestly with any form of data breach. So whilst we might have all done our data audits and updated our privacy policy, not so many have planned for what might happen if and when a breach occurs.

Now we’re lucky, I guess, we haven’t found or seen a data breach on our services in over 20 years, but we have seen breaches occur elsewhere on our clients’ sites. Often, this has taken the form of hacking via an existing security vulnerability. Fixing the hack is not usually a big thing, we can revert to older backups and we can clean up where and how the hack occurred and to do this we have a policy – here is the simplified version of it.

Data Breach Process

On the discovery or notification of a data breach we will:

  1. Immediately flush all the administrator passwords to close-off breached accounts.
  2. Advise the client by opening a support ticket
  3. Where required by legislation we will inform the individuals who had or may have had their data compromised
  4. Trace the source of breach
  5. Document the scope of the leak, the probability of data loss and an estimation of the extent
  6. Fix the leak. This may entail another account purge, resorting to old backups and may leave the site not in a 100% working state.

The service is available as standard to all Peerless WordPress Service clients. Items 1 and 2 are included within the scope of the support contract. Tracing, fixing, documenting and legal compliance can take much longer and is chargeable if the time required goes over 2 hours and the cause of the breach was outside our direct control.

We’ve had this policy in place for over a decade but recently we’ve been requested to share our process and how we deal with these gut-wrenching moments. Stay safe and secure out there.