Notification of information security breaches
You must tell us about any security breach to your environment that adversely affects the confidentiality of customer data; or prevents the licensee’s customers, staff, or legitimate users from accessing accounts for longer than 12 hours.
We use the information you report to monitor ongoing compliance and evaluate risk across the industry. Should themes emerge that would be of value to share (such as specific attacks targeting a number of businesses) this may be fed back to help you deal with emerging threats.
LCCP: Licence condition 15.2.1 (para 16)
This licence condition applies to all operators and would include an information security breach for any operator who holds electronic records of customer information or gambling transactions.
Types of incidents
These are some common examples of incidents which may impact on the confidentiality of customer data or the availability of accounts:
- infection by viruses or malicious software
- ransomware infection
- theft or damage of computer equipment
- attacks by unauthorised outsiders resulting in network penetration
- unauthorised access (internal or external)
- unauthorised or accidental disclosure of customer data
- staff or third party misuse of customer data
- denial of services attacks
- customer impersonated fraud (identity theft).
When to report - severity of incident
Minor incidents should not necessarily be reported. You can decide whether the severity of an incident means it should be reported. You should record and keep your evidence as to how the decision to report or not report was made by the appropriate PML (or in the case of a small scale operator the appropriate ‘qualified person’).
The Information Commissioner’s Office (ICO) provides guidance on when security breaches involving personal data should be reported to them and this should be considered when making a decision to report (both to the ICO and to us).
The key considerations are:
- potential detriment that could be caused to the individuals affected
- volume of data that has been affected
- sensitivity of the data that has been affected
- financial loss to customers.
As a general principle, if a large volume of customer data has been affected, this should be reported. If a low volume has been affected but there is the potential for serious detriment or the data is highly sensitive, this should also be reported. Consideration should also be given to notifying affected customers where warranted, refer again to the ICO guidance in this area.
The ICO is primarily interested in breaches of personal information, our interest has a wider remit such as unavailability of customer accounts for more than 24 hours or the loss, corruption or unauthorised modification of other critical gambling records such as player account balances, prizes or gambling transaction records.
Details to provide
You should provide sufficient information to describe the incident that has occurred, the severity of the incident and the volume of data affected.
Consider the following when submitting a report:
- the nature of the incident
- the location of the incident
- the services attacked or compromised
- when it first occurred
- when it was detected
- how it was detected and whether you are able to precisely identify the extent of the incident (how many customers affected, whether data was taken, what data and systems were affected)
- what mitigating action has been taken
- whether the root cause been identified
- whether any other parties such as ICO, police, external security consultants or customers been notified and the consideration given to not notifying some or all of the other parties
- what preventative action has been taken or will be taken to prevent future breaches.
How to notify us of an information security breach
Breaches must be reported as key events as soon as reasonably practicable and in any event within five working days of the licensee becoming aware of the event’s occurrence.