Hope for the best, plan for the worst
September 2019 | EXPERT BRIEFING | RISK MANAGEMENT
Data breaches and cyber incidents are an unavoidable part of doing business. While good cyber security and data protection measures will reduce the risk of an attack or breach, new threats continue to emerge. The job of defending systems and networks never ends. Of course, data breaches and operational cyber outages are not limited to malicious actors; the same impactful events may simply be caused by employee negligence.
It is therefore crucial that companies not only invest in preventative measures, but also focus heavily on their response. The General Data Protection Regulation (GDPR) in the European Union (EU) and the Network and Information Security Regulations (NIS) have strict legal requirements when responding to breaches. Failure to simply notify a breach under the GDPR is a standalone requirement, sanctionable by 2 percent of turnover or €10m.
While we have yet to see a GDPR fine issued for simply failing to notify a breach, as opposed to the breach itself, there are many instances of sanctions issued by the Information Commissioners’ Office (ICO) that were influenced by the companies’ response to the breach. In one recent monetary penalty notice, the ICO noted that “communication and notification procedures were deficient, engendering avoidable delay in notifying and responding to the data breach after its occurrence”.
Notwithstanding the legal sanctions that can be applied if a company is not prepared for a breach, the media is littered with examples of companies facing criticism for their response to a cyber or breach crisis, damaging brand and organisational trust. Of course, a breach is never going to be a good news story but bad publicity is often compounded when the company appears out of control, unable to explain what has happened, what it is doing to protect data subjects, and notifying months or even years after the incident occurred.
It is all part of the plan
Many commentators talk about the need to have a data breach plan but rarely is guidance offered as to how to go about establishing a plan. It is important to avoid the trap of making the plan too detailed and rigid, or focusing on a particular function in the organisation. A breach plan is not an IT response plan, it is not a legal notification plan, nor is it a communication plan. Rather, a good plan encompasses all business functions.
Failing to make a plan useable, understandable and accessible will also run the risk of it becoming ‘shelfware’, gathering dust from the moment it is written. The key to a good plan is having sufficient detail so that it rallies the right decision makers, relative to the severity of the incident, and equips them with the required information and advice in order for them to make the right decisions at the right moment.
Companies should consider adopting a five-step process when approaching their data breach plan.
The first step is to identify your internal breach response team. It is important to strike the right balance between involving too many people to respond in an agile manner, and too few to make a fully informed decision involving essential stakeholders.
The team should generally include members from core business functions – information security, legal and compliance, IT, human resources, management, finance, and marketing and communications. Companies should plan for alternatives in case of holidays or unexpected absences. Leadership roles should also be assigned, so there is a clear understanding of who will make key final decisions on actions.
Breaches will vary in scale and significance – not every breach needs the chief executive to be on the phone. Using escalating teams can be helpful: a first line ‘bronze team’ can deal with initial breach triage, escalating to a ‘silver team’ if the breach is recognised as significant and adding senior decision makers to create a ‘gold team’ for significant breaches that require the involvement of executives. This system can also help to communicate the urgency and severity of a breach, without having to reveal the nature of the incident.
Once a team has been created, primary and alternative contact details should be collated. It is vital that these details are frequently reviewed and maintained. It can also be useful to have key documents accessible to the breach response team, such as a breach log, guidance on ICO notification and checklists. Companies must also remember that in the event of a serious breach or cyber attack, the usual systems for storing information may be inaccessible.
The second step is to know who you your advisers are. An organisation may need assistance from external parties in the event of a breach and it is wise to plan ahead for how critical skills or capacity will be sourced before it is needed. Advisers and services might include: (i) external legal counsel; (ii) cyber insurance broker and insurer; (iii) independent cyber security forensic investigators; (iv) public relations and crisis communications advisers; and (v) customer call centres.
External advisers and services should be chosen for a proven track record of providing services in response to incidents – consider asking an insurance broker or insurer for referrals. Some cyber or data breach insurance policies specify experts to be involved in a breach.
The third step requires companies to agree their ‘rules for the road’. Companies should consider the rules that will apply to their response. These may include how to communicate, be it via email, telephone or group message, what to and what not to communicate, the use of code words or project names, and how to classify incident severity. Definitions can also be helpful to avoid miscommunication – the word ‘breach’ means many things to many people.
Companies often fail to define the corporate priorities for the breach response team. It is perfectly understandable that different organisations will have different priorities. Will a company prioritise providing an uninterrupted service to customers over cost to the business, for example? Is revenue more important than reputation?
The fourth step requires companies to put together a response plan. Companies should adopt a clear framework of steps that the response team can follow, while retaining the flexibility to respond to each unique situation. A plan that is too rigid may end up being ignored. There are many variations, but the following example is a useful starting point: (i) detect: identify a centralised point for breaches to be reported; (ii) triage: escalate the breach to the appropriate level; (iii) containment: take action to contain or close a breach or cyber incident; (iv) recovery: take actions or measures to recover systems or data; (v) assessment: assess which systems or data have been affected, risks and likely outcomes; (vi) notification: determine who should be notified externally about the breach; and (vii) evaluate: review and revise the response.
The fifth step is testing. It is vital that companies review their plan on at least an annual basis, and rehearse it just as often. Team members and external providers will inevitably change over time and testing the plan will give organisations confidence that it is still solid and able to meet its needs. If possible, companies should involve their external providers in rehearsals.
Our experience has taught us the following additional points for a timely and joined-up breach response. Companies should ensure that they clearly identify key roles and decision makers. Without clarity on who will make important decisions, the response team may grind to a halt.
Define roles, and plan for absences and contingencies. It is inevitable that someone in a large team will be on holiday or have recently left the organisation; make sure that others are ready to step in.
Be clear on what constitutes a personal data breach under the GDPR, as not all breaches of the GDPR are personal data breaches, only those that relate to breaches of security. Companies must understand their responsibilities clearly ahead of notifying regulators, data subjects and third parties.
Hans Allnutt is a partner, Laura Stewart is a solicitor and Allison Crabtree is a trainee solicitor at DAC Beachcroft. Mr Allnutt can be contacted on +44 (0)20 7894 6925 or by email: email@example.com. Ms Stewart can be contacted on +44 (0)20 7894 6984 or by email: firstname.lastname@example.org.
© Financier Worldwide
Hans Allnutt, Laura Stewart and Allison Crabtree