Through every stage of an effective cyber breach response, planning and preparation is essential, according to the technology team at international law firm DAC Beachcroft.
The value of preparation was reiterated at each stage as the London-based team walked attendees through a data breach scenario at a fictitious online dating app company.
Participants at the London Tech Week workshop were asked to consider what they would do in the same situation and “help” the CEO of the online dating firm by registering their response at each decision point.
The exercise was designed to bring to life the typical questions a CEO would face after being contacted by a hacker claiming to have access to a database containing the personal information of customers.
With potential investors in mind, participants of the workshop were asked to consider whether or not the CEO should take the hacker’s claims and threats seriously. Would they report the incident to the police? Would they make contact with the hacker? When would they notify customers? Would they pay the ransom demanded by a hacker?
And once a decision was made to notify customers, workshop participants were asked to consider what they would say and what channel they would use. A notification on the website? A personal email? A conventional letter of notification sent by post?
This question also underlined the importance of being able to establish the extent and nature of the breach quickly, not only to be able to decide whether it was necessary to notify customers, but also to decide if it was necessary to notify the UK’s data protection authority – the Information Commissioner’s Office (ICO) – under the UK’s data protection laws, which are aligned with the EU’s General Data Protection Regulation (GDPR).
To notify or not to notify
Workshop participants were reminded that it is necessary for UK organisations to report a personal data breach to the ICO within 72 hours whenever there is a risk of harm, but at the same time, they were cautioned against notifying customers (data subjects) or the ICO unnecessarily.
“There is a fine balance in deciding whether or not to notify data subjects of a breach. While it is important to comply with the law by notifying when necessary, it is also important to ensure that you do not notify where it is not necessary”
Patrick Hill, DAC Beachcroft
“The ICO advises organisations to think very carefully before notifying of a breach because there was a flurry of unnecessary notification just after the GDPR came into full force in May 2018,” said Patrick Hill, lead partner in DAC Beachcroft’s technology, media and information risk (TMI) team in London.
“There is also a fine balance in deciding whether or not to notify data subjects of a breach. While it is important to comply with the law by notifying when necessary, it is also important to ensure that you do not notify where it is not necessary, thereby causing unnecessary distress,” he cautioned.
One useful guideline in deciding whether or not to notify data subjects, said Hill, is to ask whether or not such a notification will enable those affected by the breach to take any action, such as change their passwords or notify their bank. “If not, then notifying them is probably not necessary or useful, but it can be a difficult thing to call,” he said.
With a member of the legal team taking on the role of a journalist, participants of the workshop experienced first-hand the kind of pressure they could come under in a similar situation, where a member of the media finds out about a breach or an attacker notifies some or all of those affected, ramping up the pressure to make decisions around disclosing the breach.
The process of notification
Once it became clear in the scenario that it was necessary to notify both the ICO and customers, the team conducting the exercise gave a list of the kinds of questions an organisation reporting to the ICO would need to answer, underlining the need to be prepared and have the necessary processes in place.
“Here, having an forensics team on call is a good idea because they can help establish the scale and scope of the breach and provide vital information that will be useful in containing the breach in the short term, as well as putting processes and controls in place to reduce the likelihood of a similar breach in future,” said Hill.
Notifying the ICO can help organisations make the correct decision in terms of notifying those potentially affected by a breach, but it will also kick of an initial investigation by one ICO team that will involve answering a few key questions.
If the breach is notifiable, however, that will kick off a full investigation, the legal team warned, which will unleash a whole new set of much more detailed questions to answer.
The ICO will typically ask for:
An incident response report;
Details of the contractual relationship with any third-party suppliers involved;
Details of the controller/processor relationship with any third-party suppliers involved;
Details of the breach response plan and policy in place, as well as the company’s data risk assessment;
Information about what access controls are in place for all IT users such as multifactor authentication;
Details of any monitoring systems that are in place;
Details of what is being done to notify and support affected data subjects.
Notifying data subjects needs to be considered carefully, the legal team said. The emphasis needs to be on providing useful, actionable information so that those affected are able to understand how they are affected and what they can do to minimise the potential impact of the breach.
Underlining the potential financial consequences of a personal data breach, Hill reminded workshop participants that the GDPR allows for fines of up to €20m or 4% of annual turnover, but also pointed out that UK law allows for data subjects to make claims against organisations where a failure to keep personal data results in distress, even if there is no financial loss as a result of the breach.
Handling the media and public relations is another key area that requires planning. “I would recommend organisations consider using specialised public relations firms to help them through a breach,” said Hill.
“Once again it is important to have a plan in place based on a strategy that has been worked out in advance and good advice can be invaluable. Past breaches have shown that there is definitely a right and a wrong way of handling PR, and breached organisations will either be punished or praised depending on whether they get it right or not.”
In closing, Hill reiterated the importance of having a tried and tested breach response plan in place so that an organisation does not have to think through a breach scenario for the first time when the stakes are high and there are significant consequences for making the wrong decisions under pressure.
