This year, May 15th started out as a normal day in my life as a freelance Virtual Assistant. Mid-morning found me heading to Coventry for 2 meetings in the city centre. I don’t know the centre very well and so I was walking with my iPhone in my hand, using Google Maps. Everything happened in a flash – I was mugged! Luckily, I was not hurt in the incident, but the muggers had my phone and it was unlocked!
Asking a passer-by for help, I was directed to the meeting venue where my concerned client sat me down and got me a glass of water and a coffee, whilst I gathered my thoughts. I had my laptop with me and using my client’s phone’s hotspot I was able to login into my iPhone account and report my phone as lost, all within about 10 minutes of the incident.
Thankfully, only the day before I had backed up my phone and so I made the decision there and then to wipe my phone before the muggers had an opportunity to attempt to do anything with it and the information it stored!
My Next Steps
Having wiped my phone as quickly as I could, when I got back to my office, I did the following:
• Reported the incident to the police via an online incident report
• Called my bank to put a stop on my card
• Called my phone provider to suspend my number
• Called my business insurance helpline for advice on my reporting requirements
• Called one of my clients whose email account I access from my phone
• Wrote up an incident report for my records and completed a data breach log with the details
My Business Insurance
I was savvy when setting up my business insurance and chose a policy with Markl which includes cyber insurance. Markl provides a helpline which I utilised on that day to seek advice regarding the possible data breach, especially as I had access to one of my client’s inboxes on my phone. Having explained the situation, below is the response I received;
“As to the notification of affected data subjects, this is only required where there is likely to be a high risk to data subjects. This is a higher threshold and is not met in this instance.”
As I explained, Data Controllers are required to report personal data breaches under GDPR to the Information Commissioner’s Office unless the breach is unlikely to result in a risk to the data subjects whose data is affected by the breach. As the attacker was motivated to steal the phone, rather than gain access to any personal data in a business context, we consider a risk is unlikely. You took the right action in blocking your phone quickly and the breach is contained.”
I was advised to speak to my client and recommend they changed their passwords, which they duly did after they had been reassured that I was all right; sentiments that were much appreciated.
In this instance, it was not necessary for me to report a data breach to the ICO but to keep a record of the incident on file.
• Always have insurance – I had to wait to receive a crime number from the police, but after I’d received it later on the same day, I called my insurers and having paid the excess, a replacement phone was dispatched and delivered the next day.
• Always make sure you know where you are going beforehand.
• Do not walk holding your phone looking at Google maps – use earphones instead.
• Make sure you know at least one number for a friend or family member that you can call for help – it is so easy not to learn anyone’s phone numbers these days as they are just automatically saved to your phone!
• Keep your phone backed up regularly.
• Don’t lock yourself out of your iTunes account (it took 3 days to get back in!)
The Good News
My fellow VA’s from the VA Network said: “if it had to happen to anyone, it was a good job it was you!” And they don’t mean that nastily! They were referring to the fact that I have been the lead VA for the group regarding GDPR and Data Protection and therefore I had a strong procedure in place in case of a potential data breach and was able to work through it on the day.
Subsequently, I had a call from the police to say the muggers had been on a phone snatching spree and I am pleased to say have recently been caught.
As well as being very lucky not to get hurt, I was also extremely lucky that a data breach was avoided. It just goes to show though how easily it can happen, so don’t take any chances and make sure you know what steps you would take should this ever happen to you.
Do you have a data breach reporting procedure in your business? In fact, are you up to date with Data Protection and GDPR? A year on from the new legislation we are beginning to see fines coming in from the ICO, so please don’t let the next business be yours – contact me for help if you need it. My data breach procedure is tried and tested…!