Checklist

To create a situation picture, you will need the persons who are responsible for your organisation’s

• security
• data security
• data protection
• preparedness 
• communications
• most senior leadership
• information systems.

Find out

• what data has been compromised
• what has been done to the data
• whether the security of the data is still at risk.

Assess

• what may follow from what has happened 
• how likely it is that the different consequences will be realised.

Decide

• what measures should be taken immediately
• what measures should be prepared in the long term.

• Keep a diary of the events and the decisions and measures that have been taken.
• Make sure that the log data on the information systems related to the incident are stored. 
• Take backup copies of all documents related to the incident.

• Do not answer to the blackmail messages.
• Do not pay any ransom.
• Do not delete the blackmail message you received.

If the online banking codes or debit and credit card details have ended up in the hands of outsiders, contact the bank straight away.

Assess whether your organisation needs to

• shut down the information systems or isolate them from the network
• increase the monitoring of the systems or the internal network
• restrict the flow of information between systems 
• prevent or prohibit the use of the systems.

If the data security of the usernames and passwords of the members of your organisation is at risk, lock the usernames related to the incident temporarily.

Determine from the log data what has happened in the information systems. Chase the intruder away by preventing their access to the systems. 

The normal operation of the information systems can be resumed once it has been ensured that

• the vulnerabilities in the system have been rectified 
• the intruder has been chased away 
• the routes used by the intruder have been blocked.

Plan how you will communicate about the incident internally and externally. Decide what, who to, when and how you will communicate.

Remember to

• stay truthful
• avoid speculation
• say you are sorry and apologise for the inconvenience caused by the situation
• not reveal anything that compromises data security.

• Submit a notification of a personal data breach to the Office of the Data Security Ombudsman.Opens in a new window. 

If your organisation is an NIS 2 actor, submit an incident report on the National Cyber Security Centre Finland’s website.Opens in a new window.

Send the notification within 24 hours of noticing a major incident.

• If you suspect an offence, report it to the police. Opens in a new window.

• Report a data security violation to the National Cyber Security Centre. 

Schedule and plan technical modifications with the system supplier. For example, you may have to

• recover data from a backup copy
• repair vulnerabilities
• update systems or reinstall them
• compensate for or acquire new devices
• change passwords. 

• Make the necessary changes to your organisation’s processes.
• Apply for possible compensation for breaches of contract, compensation from insurances or compensation for damage.
• Note that your customer may demand that your organisation pays compensation for having breached the General Data Protection Regulation.
• Note that the Office of the Data Protection Ombudsman may impose sanctions on your organisation if your organisation has not complied with the requirements of the General Data Protection Regulation. 
• Improve data security, data protection and preparedness.