A data breach occurs when sensitive, confidential or protected data has been accessed or disclosed in an unauthorised location. In the case of remote working, it could occur when data from a work laptop is accessed by someone other than the person who is authorised to have it. If a work laptop is stolen from within the home, this is considered a data breach.
Payroll professionals are especially at risk as they transfer sensitive and personal employee information to their home offices. If a cyber-criminal (or anyone with criminal intent, for that matter) is aware of a payroller working from home, this greatly increases the potential for a home network to be hacked.
This is particularly relevant for payrollers using printed payslips, as the data can be left in the open for anyone to access. It is strongly recommended that anything printed is stored away securely until such time as it can be mailed or destroyed at an office location.
Articles 33 and 34 of the GDPR focus on the notification of a personal data breach to the ICO or the data subjects.
The following should be in place to avoid a data breach:
• A robust mechanism for users to internally report a personal data breach
• The company must provide a reporting mechanism that is equally effective for home/remote and office-based workers
• The company must ensure that the post-reporting incident management procedures still operate even when business continuity is strained
Not all reported breaches are necessarily notifiable to the ICO or the impacted data subject. Where a breach is “unlikely to result in a risk to the rights and freedoms” of a data subject the ICO may not necessarily need to be notified. However, should a notification be necessary the data controller only has at most 72 hours to do so once it becomes aware of the breach.
Where there is a “high risk to the rights and freedoms” of a data subject, then the data subject will need to be notified “without undue delay”.
External hackers will often target companies when they are undergoing significant organisational stress.
With many workers now working from home it is an opportune time for the attacker to use a variety of techniques, such as:
• Phishing emails
• Posing as other staff members in the organisation, suppliers or customers
• Impersonation attacks, such as Business Email Compromise (BEC), CEO Fraud, social engineering, or posing as other staff members, suppliers or customers
• Calls saying your internet is going to be cut off in 24 hours because you’ve been hacked