It is the phone call that all in-house lawyers or chief compliance officers may dread. It might be from your IT team, or from law enforcement, reporting that there has been a security breach and that data has been leaked to the dark web; or it might be from a journalist, telling you that they hold confidential information that has been leaked to them; or it may be directly from a hacker making a ransom demand. In the event of a cyber attack, what should you do?
The investigation
Your immediate priority will be to investigate, and contain, the data leak. In order to regulate the flow of information, and ensure work streams can be efficiently managed, it is useful to set up a cyber breach committee, who will be responsible for investigating the breach. This committee will typically include senior members of legal and IT, your data protection officer, compliance officer, a PR representative, and anyone who has had direct contact with the party alerting you to the breach (such as the journalist, hacker or law enforcement officer). The committee should also be headed by a senior decision-maker with authority to sign off on any decisions. Where the possible breach has affected multiple jurisdictions, it is important to have a point of contact in each of those jurisdictions reporting to the cyber breach committee, to ensure consistent messaging and efficient management of the investigation information.
Aside from these practical benefits, establishing a cyber breach committee also helps to maximise your chances of claiming privilege over the investigation and its output, for instance defining the ‘client’ as the committee in any retainer letter with your external counsel will ensure that any communications between any member of this committee and external lawyers are treated as privileged. Privilege issues can be complex in the context of investigations, but instructing external counsel will maximise chances of claiming privilege over any communications.
You will also want to consider instructing external counsel at the outset, so that they can assist with quickly co-ordinating the multi-disciplinary expertise required, including data protection expertise, advice on potential liabilities to third parties, regulatory issues, PR consultants and IT forensics. Not all data breaches will require this breadth of expertise, but for significant and sensitive breaches, you will need to have a plan in place within the first 24 hours of the breach in order to contain the issue, manage any reputational damage and assess your potential exposure.
The most important facts to ascertain at the outset are:
- Who or what caused the breach (whether actual or threatened)? Cyber breaches can arise in a number of ways, from human error to internal or external malicious activity. It may transpire that the breach is an ‘inside job’ committed by one of your employees. You may therefore need to conduct a review of the data of particular employees and review their access history. If you do so covertly, it is important to document the steps taken, by way of a privacy impact assessment, to ensure that the steps are proportionate and in compliance with data protection law.
- Who and how many people have been affected? This is relevant not just for regulatory reporting requirements, but also for messaging. For instance, it can be helpful to present the breach as having only affected a small percentage of your customer base.
- Which jurisdictions are impacted by the breach? This is also important for regulatory reporting requirements, but you may also promptly need to take local law advice on various matters, including privilege.
- What type of data has been leaked? There may be different reporting requirements, depending on what type of data has been accessed. For instance, bank account or medical information will be more sensitive than someone’s business email address. It is also important to verify facts of the breach, such as whether the data has actually been exfiltrated, rather than simply viewed in the server.
If your business has a sophisticated IT team, you may be able to entrust this investigation to them. However, most victims of cyber attacks choose to instruct an independent cyber forensics specialist, that can quickly investigate and report independently to the cyber breach committee.
It is also important to brief your head of communications promptly, as there is a high risk of the story quickly reaching the headlines (eg via social media). There is often a temptation to explain what you know at the outset, however, often this can be based on rumours, or suspicions. Make sure that any communication to the media is only based on facts, established from your investigation.
Reporting to regulators
Any regulator is likely to be concerned with how quickly the possible breach was identified, investigated, and contained, so it is important to keep a record of this information as it progresses.
In most instances where there has been a data breach in the UK or EU, there will be reporting requirements to the relevant supervisory authority (eg the Information Commissioner’s Office in the UK), if you are a data controller. If you process data on behalf of a data controller, you are likely to need to notify that controller as soon as possible (to ensure that they can comply with their own reporting obligations). Once the General Data Protection Regulation comes into effect in May 2018, these obligations will become more stringent, as data controllers will be required to notify all data breaches presenting a high risk to individuals within 72 hours where practicable.
Other reporting requirements depend on the nature of your industry and the type of data that has been compromised. For instance, if it is individual financial data, you may need to notify the Financial Conduct Authority. Equally, if you are a service provider of certain essential services or digital services, you may have notification requirements to Ofcom.
Other affected third parties
To the extent that there are any individuals whose data has been compromised, you may need to notify these individuals directly, in order to ensure they can take steps to protect themselves. For instance, you may wish to notify them that there is a security breach and that they should change their passwords, in order to prevent further attacks.
The other priority is to ensure the impact to your business is minimised as quickly as possible, to reduce the risk of third-party exposure. If there is an adverse impact on the operation of your business, try to make quick and reasonable adjustments to your operations to minimise the impact on customers. You should also consider the impact on other third parties and carefully examine the terms of your agreements with them, including rights of termination, indemnities, limitations on liability, and any notification requirements. If you are a data processor on behalf of a data controller, make sure you check the terms on which you process and store the data.
If you have ascertained that the breach was caused by a third party (such as the server host), you will also need to consider the terms of your contracts with that third party, in case any liabilities can be passed on to them. Equally, it is important to look at the terms of any insurance cover you have, and promptly notify your insurer if it looks likely that the breach may be covered. Failure to promptly notify the insurer may invalidate any potential coverage.
What can you do now?
Given the high risk of damage to your business’ reputation, potential regulatory sanctions, and exposure to third-party claims, it is essential to put in place measures in advance, in order to minimise these risks.
- It is worthwhile creating a cyber breach committee, even before a crisis hits. That committee should create a cyber crisis management action plan, and run ‘fire drills’ to make sure that the business is prepared in the event of a worst-case scenario. These drills should include contingency plans for the operation of the business, such as through a back-up server, in the event that your IT system is brought to a halt. For instance, in the event of a ransomware attack, you may be prevented from sending emails to staff and impacted individuals if back up is not available.
- Put breach prevention measures in place now, in order to mitigate the risk of a breach and so you have a good narrative should you need to report to a regulator or any impacted individuals. Ensure you have appropriate policies and procedures in place to govern your organisation’s use of personal data. Run security audits across your business, check for vulnerabilities in your server, and run appropriate training for employees on the risks of clicking on suspicious links. Make sure you know whether you are a data processor or data controller, and in respect of which data. It can compound matters if, in the event of a data breach, you discover that you are not storing or processing data in accordance with what you have agreed with the end-user.
- If you are a high-risk industry, look at the terms of your insurance policy
to see if it would cover a cyber breach, and consider obtaining specialist
cyber cover.
Baker McKenzie’s global cyber crime team (part of our global business crime unit) offers a one-stop crisis management service in responding to a cyber security attack: we not only offer legal advice on the various legal disciplines around the world, but we also offer project management services to monitor and control cost, and we are used to working closely with others, such as IT forensics and PR consultants, whether within your own organisation or externally.