Anatomy of a data breach response
Information security is mission critical for businesses today. Data management has attracted increasingly more attention from privacy regulators, with enforcement actions leading to significant fines. Businesses are acutely aware of the adverse impact and bad reputation that can come from poor data management. Information security has risen to the top of businesses’ priority list.
How should businesses act in the face of this challenge? In this overview, Pádraig Walsh from the Cybersecurity practice group of Tanner De Witt guides you through the information security cycle, from guarding against potential security incidents, to how to respond to a data breach.
1. An Incident Response Plan
Mike Tyson once said that everyone has a plan until they get hit. Plans are still important. Without a plan, you have worse problems. With a plan, you have a better chance to pick yourself up, dust yourself down, and get back in the race. The best chance for a good response after a data breach starts with an incident response plan prepared before the breach.
The reason why
An incident response plan is both a sword and a shield.
A good incident response plan will adopt a coherent framework with key critical information and process to enable a swift and effective response to an incident. Who do you need to contact internally? It’s in the plan. How do you reach them? It’s in the plan. What initial information do you need to find out? It’s in the plan. What first steps should you consider? It’s in the plan. If this framework, guidance and information is at hand before an incident occurs, then it will minimize the chance of a panicked response to an incident and mitigate the risk of damaging mistakes in handling the response.
The defensive reason for an effective incident response plan is that any subsequent investigation or litigation will focus on the extent of preparation and readiness of the business for the incident. The absence of an incident response plan is an indication that no management forethought or planning was given to the risk of a serious incident. This will be a negative factor in assessing the responsibility or liability of the business for the incident and the loss and consequences arising from it.
Incidents and breaches
One of the key benefits of an incident report plan is its framework that helps to identify and assess incidents. That process then dictates the nature, scale and extent of the response. Part of this process is to categorise activity into one of four categories:
Event: An event is activity that is normal and within expected security protocols and processes. So, for instance, an event will occur if your firewall appropriately responds to and repels a penetration attempt.
Incident: An incident will occur if an event does not follow security protocols or processes, and gives rise to a risk of exposure of data or unauthorized access to data. The exposure or access may not actually occur; however, the incident has occurred and is logged, assessed and responded to. So, all incidents are events, but not all incidents are breaches.
Breach: A breach occurs when there is unauthorized access to, or loss of, data from IT systems. This is a more serious incident.
Notifiable breach: A notifiable breach is a data breach that meets the legal or regulatory thresholds that require a formal notification of the breach to authorities, regulatory bodies or data subjects. This is a different standard again. Not all breaches will trigger a notification obligation.
An incident report plan will include a system and framework to report and assess all incidents, with different actions triggered according to the outcome once that triage has been performed.
Purpose of an incident report plan
The purpose of an incident report plan is to establish a framework to:
- prepare an plan for readiness in advance of an incident, including establishing an incident response team.
- log and report incidents, including how to gather meaningful and reliable information for those reports.
- assess and triage incidents, including the factors to consider in making that assessment.
- respond to incidents in a swift, proportionate and measured way, focusing on remedial priorities.
- review and learn from incidents and responses to incidents for continuous learning and improvement of IT security.
Three key elements
The incident response plan will cover quite a lot of ground, but here are some important elements that are core to the usefulness and success of an incident response plan.
Senior management endorsement: The incident response plan must be approved and endorsed by senior management. The plan is not a merely operational matter. If a serious incident occurs, senior management – right to the CEO – will be involved. Senior management should not be running a playbook to respond to a serious incident that has not been reviewed, approved and endorsed by senior management in the first place. Senior management will be responsible and held accountable for the response to a serious incident. Their responsibility starts with the plan itself.
Incident response team: The incident response plan will identify the key persons who will be actively involved in an incident response, and also stakeholders who will be involved or consulted (even if not actively involved). Roles and responsibilities should be assigned in the plan. Also, their emergency contact information should be included in an appropriately secure and confidential manner. The incident response team should also include external experts or legal counsel who may need to be involved. The team members and stakeholders will be different according to the nature of the incident, and those factors should be reflected in the incident response plan.
Step plans: The incident response plan will have step plans and action flows to provide guidance on the sequence of steps to take when an incident occurs. This need not be prescriptive. Each incident will be different, and may require a specific response. It is not possible to write down and account for a wide range of actions for a wide range of incidents. However, a good incident response plan will indicate the common immediate steps to take to lead to an appropriate early assessment of the incident.
Some common mistakes
Here are some common mistakes in preparing incident response plans:
Using work contact information as emergency contact information: The emergency contact information will necessarily involve using the personal contact information of incident response team members. This is because business contact information may itself be compromised in a serious incident. For instance, a work email address is not sufficient emergency contact information. Work emails may be compromised as a result of the incident.
Availability of the incident response plan: The incident response plan should be stored in a separate location that is known to those in the incident response team, and that is segregated from the IT system. This is to ensure that the incident response plan is readily available if an incident occurs, even if the availability of the IT system itself is compromised.
Not engaging external advisers before an incident: External advisers may be an integral part of the incident response team. Technical experts may be needed to assess the cause of the incident, stop any aggravation of the issues, and begin remedial work. Legal advisers may be needed for advice on potential liability, breach notifications and regulatory reporting. External advisers need time to go through client and customer onboarding processes. This should be completed as part of the preparation, adoption and implementation of the incident response plan.
The ubiquity of data breaches now means that each business knows that a breach will happen to them. It is not a question of if, but of when. That alone clarifies and simplifies the management need.
Preparation is key. Events rarely unfold according to plans, but the process of planning is itself preparation. It educates and socializes key people with key issues, and supports their readiness to respond with confidence when an incident happens.
Regardless of the size or complexity of a business, if it has not given forethought to incident response, then its response will be an afterthought, and that form of hindsight will be punished. However, with forethought, then it is more likely that the consequences of an incident will be less, and the recovery swifter. It might be a punch in the face, but you won’t be knocked out – you’ll be back into the race.
2. The Incident Response Team
There is no “i” in “team,” but there is I.T. in the incident response team to a data breach. The key people involved in an incident response team can be divided between the core team and the ancillary team.
The core team
The core members of the incident response team will be involved in all security incidents and data breaches. This can be distinguished from other persons who may be pulled into an incident response either because of the type of security incident or to perform isolated specific tasks.
The key members of the core incident response team are:
Information security team. The infosec team will focus on the downstream issues and consequences of the security incident. This will be an almost exclusive focus. The incident response plan should make clear that the primary role of the infosec team is to identify, contain and resolve the security incident. This inevitably means that the infosec team will have limited involvement in upstream communications to executive management or externally to regulators, customers or other stakeholders.
Frequently, in the course of the incident response, the infosec team be separated physically from other members of the incident response team. The infosec team may be in a separate “war room” with limited rights of access by others. This is important so that the infosec team can retain its exclusive focus on downstream issues.
The incident response plan will address the resources needed by the infosec team to effectively respond to a serious security incident. The incident response plan should foreshadow that the infosec team will need stand-alone, separate systems that do not rely on or automatically access the systems under attack.
The incident response plan will also outline how reports and information will be provided by the leader of the infosec team. Management should anticipate that the infosec team will not be available to respond to ad hoc queries or be pulled into ad hoc meetings.
The infosec team must ensure it preserves forensic evidence of each stage of the response to the security incident so that these records can be reviewed in any subsequent investigation. This may require engaging and involving external technical experts.
Legal team. The legal team may be a combination of internal legal and external legal.
External legal counsel should be involved as soon as possible after a serious security incident is identified. This involvement can help to ensure that sensitive communications provided to external legal counsel for advice will be protected by legal professional privilege. The incident response plan should require management to engage external legal counsel in anticipation of a security incident. This allows the law firm to conclude its client engagement and onboarding procedures beforehand. Then, the law firm can be immediately ready and able to respond upon instructions when a security incident occurs.
The primary role of the legal team is to advise on legal issues and legal obligations requirements from the security incident. One of the immediate and important legal assessments is whether a mandatory personal data breach notification is required. This is a technical legal issue. Management should not decide to make a mandatory notification without the involvement of the legal team. If mandatory notification is necessary, then the legal team will advise on who the notification should be made to, and what the notification should contain.
The legal team will also advise the infosec team to preserve communications and records to a forensic standard for further review later. The legal team will stress that the business must ensure evidence is not lost, destroyed, or tampered with.
The legal team will review regulations that apply to the business to assess whether any other notices should be given to industry regulators or financial institutions.
The legal team will review important commercial contracts to assess whether there are any contractual notification or other requirements under those contracts in the context of the security incident. For instance, the legal team will assess whether the security incident will give other contracting parties the right to terminate the contract and claim damages.
The legal team will also be involved in other public communications to ensure management does not breach applicable laws or regulations or increase other legal risks.
The legal team will also assist management in any notification needed for insurers.
Public relations team. A serious security incident or data breach can have a profound adverse impact on the reputation of the business. Frequently, management will engage public relations experts to advise on and help manage the public response to a security incident.
The incident response plan should provide that public relations consultants are engaged before a security incident occurs. This allows management to undertake a proper selection process of the appropriate consultants. The critical factor will be the experience of the consultants in crisis situations that involve data breaches. There are particular tensions and acute sensitivities that arise in data breaches that are not necessarily present in other crisis management situations. Management will wish the public relations consultants to advise in a way that is aligned to the culture and values of the business.
The ancillary team
There are other members who are important in an incident response plan, but do not need to be actively and always involved. These include:
The CEO. The CEO is the person who will be the most important public face of the business in relation to the security incident. The CEO will directly deliver critical public announcements. The CEO will be the person identified as having primary responsibility for mandatory breach reporting to regulators. Employees and other stakeholders will look to the CEO for leadership and direction. The CEO should actively reaffirm the corporate values and culture of the business as the security incident unfolds.
Human resources. Businesses act and respond through people. There must be a good, calming, and consistent message to employees so that employees are aware of the security incident, and their role is in responding to it. The message should be clear and transparent, containing the accurate information necessary for employees to be informed and able to respond.
Finance. The cost of a security incident can be significant, unbudgeted and immediate. The finance team needs to be briefed and authorised to promptly release funds and resources needed to effectively respond to a security incident.
Executive management. The incident response plan should clearly identify a person in senior executive management tasked with the responsibility to coordinate the incident response and lead the incident response team. This person should be given the authority to make critical decisions in the security incident. He should be comprehensively trained so that he is equipped to work systematically and transparently when a security incident occurs.
Customer relations. Customers will be nervous when a security incident or data breach is publicly notified. The customer relations team must be briefed with clear, consistent and accurate information so that they can provide the information that customers will need to respond and protect themselves from any consequences of the security incident. If the business establishes a customer hotline, then the systems and resources deployed must be sufficient to meet the anticipated volume of customer calls or communications, and the customer relations team must be adequately staffed to meet those queries.
In incident response team does not happen by itself. Like all good teams, the incident response team will be carefully selected, properly resourced, and fully-trained before going into action. If these key ingredients are in place – people, plans, resources, and training – when a security incident happens, the incident response team will be primed and ready to respond and react effectively and in alignment with the corporate culture and values of the business.
3. The Importance of Training
In a crisis, you don’t rise to the level of your aspiration, you fall to the level of your training. Training before a data breach occurs is critical to an effective response when a data breach occurs.
The reason why
People in an organisation are often the first and front line of defence in cybersecurity. There is a tendency in cybersecurity circles to focus on technology and infrastructure solutions, systems and processes to maintain security. These are critically important. However, equally, if not more important, are the people in the organisation. These are the people who are operating the systems in place, following the processes, and generally conducting the business.
The quality of training and awareness programmes will have a direct positive impact in reducing data breaches and mitigating the adverse consequences of data breaches when they do occur. Effective training will raise awareness of threats to information security in the business, how to report incidents, and how to play a role in responding to incidents and data breaches. This, in turn, mitigates and reduces the loss and liability arising from data breaches.
The absence of effective training is a common criticism in investigation reports of regulators in respect of serious data breaches. This highlights that effective cybersecurity training is an expected standard for businesses. The absence of an effective training programme will be and adverse and aggravating factor in regulatory investigations and proceedings when a data breach occurs.
Who should be trained
Anybody who participates in the conduct of the business needs to be trained in respect of security threats that that business. Training should be customized to the role and function of the people being trained so that the training is relevant and relatable. Even people who do not have regular or any access to IT systems should receive a degree of training, though the content would be tailored to physical security or other measures relevant to their specific role. Training may not be limited to just employees and can include contractors, suppliers and other persons who have access to the business premises or IT systems.
Training should emphasise the role each person plays in maintaining the confidentiality, integrity and availability of data and information of the business. The training should help people identify threats to information security, and the actions to take if they identify threats or incidents.
When training should be conducted
Training should be timed in different ways to add variety to the training programme. This can comprise:
Induction: Cybersecurity training should be a key component of an induction programme. This will help to inculcate good practices from the outset and reduce the chance of bad habits forming at the outset.
Scheduled: Certain core topics should be addressed at frequent and periodic intervals. This acts as a consistent reminder of common and persistent threats to information security. Repeat training on phishing attacks are a good example of this.
On demand: Certain training should be made available on an “always available, on demand” basis. This allows busy persons to catch up on relevant training topics and material at a time of their choosing.
Just in time: Certain training can be provided on a “just-in-time” basis. This can arise where the training is given directly in conjunction with a specific process that requires that training or at a particular period when that threat is at its highest. For instance, cybersecurity training coming into a Christmas holiday period is an example of providing training to coincide with a period of heightened cybersecurity risk.
Surprise: Training can be most effective when it is delivered at an unexpected time. This will highlight the real level of awareness of people in respect of the subject matter. For instance, a simulated phishing attack will produce results of how people responded to that phishing attack, and will provide authentic data and actions based on people’s response.
The trap to avoid is to rigorously adhere to an annual calendar that requires participants to acquire a certain number of training hours within that period. This inevitably leads to an absence of training for much of the year, and a rush to acquire training credits in the twilight of that period. The quality of training, and level of learning, inevitably suffers.
Forms of training
The form and method of delivery of training should be varied. Some styles include:
Lecture: This is a traditional lecture format, in which the trainer delivers the content directly to those being trained. This can be delivered in a real-world or online environment. Presentation aids such as a slide deck, participant questionnaires, or polls can be used. This traditional style demands more focus and endurance by the participant to remain engaged and acquire the learning points. It may be useful at an introductory level, or as a master presentation on a topic for future reference.
Seminar: This is a more interactive format, in which the training topic is explored in a smaller group setting. Typically, a Socratic style of delivery is adopted in which the trainer directly asks questions of the participants, or breaks the group into smaller working groups on tasks or problem-solving relating to the topic. This is an effective method for encouraging self-learning through task performance or problem-solving.
Round table: In this format, the trainer leads a discussion among the participants to explore the training subject. This is an effective method where the desired objective is to share experiences and glean new insights from those experiences. It is often used between persons who work in different departments or functions, but who share common issues. It can also be very effective among senior executives.
Table top simulations: In this format, the trainer will lead a small cross-functional group through the different stages of a simulated incident. The purpose of the exercise is to assess the knowledge and readiness of the participants in the context of an actual incident, and identify areas of weakness in their response. It is especially effective in training incident response teams.
Awareness programmes are very important in embedding a culture of security in an organisation. Awareness is different to training. Training is directional and focused on specific learning on specific topics. Awareness is using people’s surroundings and attracting their attention so that they are aware of the importance and relevance of information security in the organisation. This can be done through campaigns, multimedia messages, reminders, and any number of creative or innovative activities.
The key ingredients for success in awareness programmes are variety and surprise. Once a poster has been on a wall in a pantry for a period of time, it seems to become part of the wall and almost invisible. The awareness programme should have that surprise and fun element that brings information security to the top of mind at that particular moment.
The key ingredients in an effective training programme in respect of cybersecurity and the data breach response are:
Senior management support: The training programme must be approved and supported by senior management. It sends a powerful signal of the importance of training when a senior executive – ideally the CEO – actively participates in a training programme and consistently emphasizes the importance of cybersecurity training in his messages. Senior management support also means budget support.
Organisational involvement: A training programme is not a matter for just the training department. A core objective of training is relevance. This requires active involvement on a cross-department, cross-function basis. This is critical in the planning stage, as this is when the training objective is customized to the particular needs of specific participants.
Measuring effectiveness: Training is not just about showing up; it is about learning actionable lessons. The training programme should include ways of assessing and measuring whether the training objectives have been achieved. This could be measured by assessment tools such as questionnaires and feedback forms, or more sophisticated attention tools for an online environment.
Vegetables. We know we need them. But, well, they are not always palatable. Training can be like that. Training is necessary. It is impossible to respond effectively to a data breach, unless there has been some training on how to do so. Training is a necessary and vital ingredient in the data breach response.
The key to effective training is to provide variety and relevance to the training. This requires creativity, planning and execution skills. But with organisational support and involvement, training in cybersecurity and data breach response can be crisp and vibrant, not overcooked or reheated.
4. Information Security Certifications
In every corner of the business world, people measure performance to benchmarks and standards. Information security is no different. Certification for recognised information security standards supports an effective response to data breaches.
The reasons why
All businesses aspire to following the core targets of information security, namely to maintain:
Confidentiality, and prevent unauthorized disclosure of information;
Integrity, and prevent unauthorized change or deletion of data; and
Availability, and maintain accessibility of data to authorized users.
This is a nice statement in mission statements and policies, but the path to accomplishing this target is complex. Industry standards provide a management and operational framework to design, implement and improve protocols, processes and procedures to achieve information security. Certification of having achieved the required standard is a badge of quality that gives reassurance to others in respect of standards of information security. This has a positive benefit to all stakeholders in your business – customers, suppliers, employees, and even regulators.
Information security certification is also a mitigating factor in the context of investigation by regulators after a data breach has occurred. This demonstrates that the business had shown proper forethought and planning, and had taken reasonable measures to adopt and follow industry guidelines on information security. Additionally, the framework and processes of industry standards assist in the data breach response itself. Proper processes will involve proper monitoring systems, which will provide accurate, timely information that helps with the incident response, triage and assessment.
The two key international standard setting bodies for information security are ISO and IEC. ISO stands for International Organisation for Standardisation, an independent, non-governmental international organization with a membership of 165 national standards bodies covering most aspects of manufacturing and technology. IEC stands for International Electrotechnical Commission, a global, not-for-profit membership organization that develops standards for energy infrastructure, and electrical and electronic products.
Certification is conducted by reputable trade bodies that assess the systems and processes of a business against those standards. So a business would not be ISO certified; rather, a business would be certified to ISO standards.
ISO/IEC 27000 series
The ISO/IEC 27000 series is a series of international standards for information security. The most common industry standard for information security in Asia is the ISO/IEC 27001. The purpose of ISO/IEC 27001 is to outline how to put in place, maintain and improve an information security management system. It also includes information security risk assessment and response frameworks. The requirements are generic and apply to all organizations of any size or type.
Other relevant standards in the ISO/IEC 27000 series include:
ISO/IEC 27002, which has a stronger focus on security controls, rather than general frameworks.
ISO/IEC 27035, which focusses on security incident management.
ISO/IEC 27701, which focusses on management systems and processes for personal identifiable information.
Information security controls
Controls are the granular means of implementing information security management systems. Information security controls will be categorized according to type or objective. The common classifications for types of control are:
Physical: Security controls that relate to the physical environment in which information and data are stored. An example is physical security controls for access to premises or other locations containing information and data.
Administrative: Security controls that relate to policies and practices. An example is a business’ policy in respect of incident response or information security training.
Technical: Security controls that relate to software processes. An example is an IT security policy and process governing administrator and user authentication and access controls.
The common classifications for the objectives of information security controls are:
Preventative: Controls directed at preventing an incident. An example is controls in respect of password management.
Detective: Controls directed at identifying and assessing an incident. An example is controls in respect of monitoring and logging of incidents.
Corrective: Controls directed at mitigating the effects of an incident. An example is a business continuity plan.
Effective information security controls in service to a properly implemented and maintained information security management system, provide a strong foundation for an effective data breach response.
The success of a data breach response fundamentally depends on the preparation and readiness of the business for handling a data breach. If a business has not given forethought to a data breach response, then its response will be an afterthought, and that form of hindsight will be punished. Information security certification to ISO/IEC or equivalent standards is the benchmark for readiness in this regard. Certification is an essential element in respect of mitigating your responsibility and liability for data breach. Gaining and maintaining certification are a key part of your approach to data breach response.
5. The Continuous Improvement Cycle
Ever tried? Ever failed? No matter. Try again. Fail again. Fail better. So said Samuel Beckett. And quite pertinent in the context of data breaches. In a world where a data breach is almost inevitable, learning from past failures and continuously improving is the key to mitigating data breach risks in future.
Culture of continuous improvement
The culture of continuous improvement is imperative to the success of your business. Despite operating carefully designed information security and data protection systems and adhering to information security and data protection policies, data breaches are likely to occur to every business at some stage. The key performance differentiator for your business will be how your organisation reacts to a data breach and improves after the incident.
Capture, configure, communicate
These three elements – capture, configure, communicate – focus upon a system that can help your organisation acquire information, build institutional knowledge, and assimilate learning points into operational systems.
Capture: This means the adoption of a reliable system that can immediately capture important incidents and information for future analysis and review. All incidents should be at least logged, and the log should contain essential information for future analysis.
Configure: Logged information should be regularly reviewed and configured in order of priority. This supports task allocation in respect of remedial efforts, response and planning.
Communicate: Communication goes vertically and horizontally – throughout a team and across the different teams and departments of your organisation. The people of an organisation are the first line of defence and the best weapon against information security threats. The capability and impact of a single person is limited when measured against the scale of current cybersecurity threats. Building institutional memory means that the memory must be stored and accessible by the people in the organization at any time and whoever they may be. Succession planning is built into the improvement cycle for the organization.
This allows the brains of many (not the will of one) to work together and align to a common goal of information security.
There are three elements in a continuous improvement cycle.
First, there must be a consistent monitoring system in place to improve internal processes. There should be consistent testing, assessment and analysis of policies and procedures, and their implementation; all focused on finding and resolving stress points and weaknesses so that the information security is robust, resilient and reliable. Although monitoring should be consistent, it should not only comprise routine, regular assessments. Spot checks, external penetration tests, and ad hoc assessments are all important means.
Combine monitoring processes with feedback analysis and evaluation. The intention is to create a virtuous feedback loop. Testing and analysis provide feedback from which lessons are learned, from which improvements are documented and made, which lead to renewed testing and analysis, and so on as matters continuously progress and improve.
Second, there must be a programme of learning that is focused on the external environment. Otherwise, there is a risk that information security will be insular and will calcify. Relevant persons in the incident response team should gain relevant industry certifications in information security and attend the continuous learning and development programmes needed to maintain those certifications. This will connect those persons with peers in similar businesses. This is important as it increases the opportunities to learn from the experience of others and brings external knowledge and know-how into your business and organisation.
Third, there must be a programme for incident reports and analysis. This incident driven analysis will give specific intelligence about improvements that are necessary. Incident analysis is not just about the narrow fix to a single incident. It is about finding root causes of deeper problems or patterns that might suggest a more systemic risk. This involves a form of incident analysis that correlates to previous incidents and identified trends that need investigation and attention.
Data breach response
A serious data breach may provide potentially transformative information that can help to improve the information security of a business in future. This is why a data breach response is not complete until there has been a rigorous post-mortem of the data breach and the effectiveness of the response to it. Critical self-examination is necessary, and tough questions must be answered. What worked well? What did not? Where are the areas for improvement? These points of learning must then be captured, configured and communicated across the team and must become part of the continuous improvement cycle for data breach responses.
Data breaches are almost inevitable. So there will always be a degree of failure in the resilience of any information security system. Adopting a continuous improvement management system will reduce errors and their impact. A business may fail better, but only if it learns from each diminishing failure.
6. The First 24 Hours
A data breach can be a crisis, but if you have a plan for the first 24 hour response, you can avoid making a drama out of a crisis. Immediate steps are needed to effectively navigate the first 24 hours after a data breach has been reported.
Activate the incident response team
The first inkling that a data breach has occurred is when an incident is notified. If the right systems are in place, all persons should be empowered to notify when an event does not follow security protocols or processes, and gives rise to a risk of exposure of data or unauthorized access to data. Also, it should be clear to whom that notice should be given, and what information should be available and given.
The next immediate step is to activate the core members of the incident response team to assess the incident and make preliminary judgements on the action and response needed. This assumes that there is an incident response team, and the incident response plan clearly identifies the core team members that must be actively involved from the outset. Also, the contact details and means of contact for those core team members should be readily available.
If the initial assessment of the incident response team is that a serious incident or even data breach has occurred, then immediate thought should be given to engaging external legal counsel. A key recommendation for all incident response plans is that external legal counsel should be designated for incident response legal advice, and all conflict and onboarding procedures for that law firm should be cleared before an incident occurs. Assuming that recommendation has been followed, external legal counsel will be able to respond swiftly. Communications involving external legal counsel for the purpose of legal advice will be benefit from legal professional privilege. This helps to manage legal liability.
The initial assessment
Once the incident response team has been activated, the assessment of the incident can be started in earnest. The assessment steps are:
Assess the incident: The purpose of assessing the incident is to ensure the response to the incident is proportionate. A business should not underestimate the response to a serious incident, nor deliver a sledgehammer response to a relatively minor incident. The key ingredient to this immediate assessment is to be able to readily obtain accurate information.
Identify the cause: An immediate need is to confirm whether the incident or breach is continuing. The primary objective is to ensure that the IT systems are secured. This means that the cause of the incident must be identified as soon as possible, and all steps or factors giving rise to the incident must be removed. Then, immediate steps must be taken to mitigate any exposure or loss of data.
Assess the data: If data has been exposed or lost in the incident, then the initial assessment should seek to identify the nature of the data involved, whether personal data is affected, and if so, the sensitivity of that personal data. The initial assessment will also try to gauge the volume of data affected, and the geographies involved in the affected data storage or loss.
Start the data breach response
Once an initial assessment has been conducted, then it is time to make the first proactive response. These responses will be directed towards achieving the following objectives:
Minimise harm: The primary objective of a data breach response is to minimise the harm caused by the loss of data and the data breach to data subjects in the first instance, and then the business. Any action or response after the initial assessment should be directed towards achieving this primary objective.
Compliance: As a minimum threshold, the data breach response must comply with minimum legal and compliance thresholds. Those requirements will not merely be requirements set out in privacy legislation, but may also exist in sector specific or consumer protection regulations.
Notifications: One of the major initial steps to take is to identify whether a data breach constitutes a notifiable data breach, and if so, to prepare and deliver the data breach notification with the required information within the stipulated timeframe. This notification is likely to frame the course of any subsequent regulatory investigation. Notification obligations are not limited to regulators. Other notifications also need to be considered – such as to data subjects, stock exchanges, or insurers.
Some key steps
Here is a high level summary of the critical steps to take immediately after a data breach.
Assess and contain
- Engage internal security and IT personnel, and consider engaging external technical experts, if monitoring of the IT system shows unusual activity.
- If a data breach is identified, activate a response team. The response team should include:
- Engage and involve external legal counsel from the start. In the course of its legal advice, external legal counsel may engage external technical experts, gather information about the breach and provide legal advice. This early involvement may help legal professional privilege to attach to confidential internal and external communications about the breach.
- Conduct an initial assessment to determine the severity of the breach and the response required. The initial assessment should cover:
- Take immediate action to contain the breach and minimise loss, working with external technical experts as needed. This may include:
- All information about the breach and the response should be documented and kept secure. This information will be important for internal review and as evidence in legal proceedings.
- In consultation with external legal counsel, alert internal financial functions and third parties making payments to your organisation of possible fraud attempts. Data other than financial data can be used to commit fraud (e.g. non-financial data such as emails could be used for socially engineered fraud).
- Consider contacting local and overseas law enforcement agencies if there is evidence of crime. If there has been unauthorised payments, external legal counsel in both the originating and receiving jurisdictions may be able to apply to court to freeze the proceeds.
Notification and announcement
- Take advice from external legal counsel on the mandatory and best practice notification requirements for data breaches in your jurisdiction as well as every jurisdiction in which your organisation is active. Foreign notification requirements may apply to your organisation if personal data of people residing in those jurisdictions is involved. Consult with local and overseas counsel to fulfil all notification requirements.
- Depending on the severity of the breach of the likelihood of harm to individuals whose data has been exposed, notify the individuals affected by the breach as soon as practicable. Consult external legal counsel to prepare the content of the notification. Notifications should include information on:
- Notification to affected individuals may not be always appropriate. For example, where there is a high degree of assurance that the data would not be accessed or disclosed (e.g. due to undertakings from trusted third parties, encryption, or successful remote wiping of data), the stress and anxiety likely to be caused by the notification may outweigh the benefit of the notification. Individual characteristics of the affected persons such as their vulnerability, age, and understanding should be considered. Consult external legal counsel.
- If your organisation maintains insurance covering cyber security incidents, consult external legal counsel and insurance brokers to make appropriate notifications to insurers under the policy.
- If your organisation is a regulated body, consult with external legal counsel on whether and how to notify the regulator of the data breach.
- Consider if a public or general announcement is appropriate, for public relations or similar business purposes. Consult with public relations consultants and external legal counsel on the content of any public or general announcement.
The first 24 hours after a data breach are critical. The response plan for this period will look to achieve three goals. First, activate the incident response team. Second, conduct an initial assessment and triage of the security incident. Third, take the first action steps to secure the IT systems, fix vulnerabilities, and consider notifications. These three steps are not necessarily in sequence, and much of the activity will overlap and converge. External legal counsel should be immediately and closely involved.
7. Preparing a Data Breach Notification
If a tree falls in the woods, but no-one sees or hears it, did it ever really happen? Tough question. Here’s another one. If a data breach occurs, but the data subject does not know of it, did it ever really happen? Data breach notification regimes exist to avoid this particular philosophical question. It is imperative for executives to understand what a notifiable personal data breach is, and how to comply with those notification obligations.
What is a notifiable personal data breach
A personal data breach is the unauthorised access, loss, use, processing, destruction, or alteration of personal data. Some aspects of this description may vary according to each jurisdiction, but this broadly captures the key elements of a personal data breach. It is broader than an intentional act such as hacking by a cybercriminal. Also, unauthorised access to personal data is a breach, even if no personal data was lost or destroyed in the breach. The key elements are the description of the event or its consequence, not its cause or the intention of the person that caused it.
Not all personal data breaches are notifiable to privacy regulators. In fact, in Hong Kong there is no statutory obligation to notify personal data breaches to the Privacy Commissioner as yet. This is expected to change once announced changes to the laws are implemented.
Notification is an obligation required under specific laws and regulations. The obligation to report is a legal question for which legal advice is needed. This must be assessed on a case-by-case basis.
A personal data breach must reach a threshold of harm before it becomes notifiable to a privacy regulator. So, a personal data breach should be notified if there is a material and real risk of harm to data subjects. The factors to take into account in this assessment include:
- the type, sensitivity and amount of personal data in the breach
- the security of the personal data involved
- the number of affected data subjects
- any special characteristics of the personal data breach, the data controller/user or the data subjects.
To whom should notification be given
The two key classes of persons to consider notifying are privacy regulators and the data subjects. Different considerations arise for each of them. In general, a lower threshold triggers the obligation to notify the privacy regulator. For instance, under GDPR in the EU, all personal data breaches must be notified to the competent authority, except if the breach is unlikely to result in a risk to the rights and freedoms of individuals. However, notification to data subjects is only required if the breach is likely to result in a high risk to the rights and freedoms of individuals. The threshold for the regulator is to notify when there is any risk – erring on the side of notification. The threshold for the data subject is to notify when there is a high risk.
This demonstrates a policy of encouraging notification to privacy regulators. This allows privacy regulators to be involved and provide guidance from an early stage when a personal data breach occurs. This also provides privacy regulators with more accurate information about the data breach landscape.
More humane concerns arise in respect of notifications to data subjects. Certain data subjects may be in a vulnerable situation (e.g. elderly or incapacitated), or maybe ill-equipped to gauge and understand the consequences of the personal data breach. Nonetheless, when the level of risk requires, the obligation to notify data subjects will be triggered.
Privacy regulators and data subjects are not the only categories of persons to whom a notification may be needed. Others include:
Sector-specific notifications: This is common in regulated sectors such as financial services or professional services. This may also arise in the healthcare and pharmaceutical industries.
Contractual obligations: There may be contractual obligations to notify other businesses. This will be the case for data processors, who are invariably under a contractual (and sometimes statutory) obligation to notify data breaches to its data controller/user. However, contractual obligations to notify personal data breaches also arise in a wide range of commercial contracts.
Insurance: If the business has taken out cybersecurity insurance, then there will be an obligation to notify the insurer as soon as practicable for the policy coverage to be triggered.
Risk mitigation notifications: An early assessment of the personal data involved in a personal data breach may make it prudent to notify other persons in order to mitigate the harm to data subjects and to minimise the potential loss or liability involved. An example of that might be notification to banks and credit card issuers to mitigate the risk of credit card fraud.
The content of a personal data breach notification must meet the minimum requirement set out in the corresponding law for that notification. This is a matter for which legal advice is needed. The content of the data breach notification will form the basis on which subsequent inquiry and investigation will follow.
The content for a data breach notification to a privacy regulator will typically include:
- description of the data security incident
- cause of the personal data breach
- type and amount of personal data involved
- type and category of data subjects involved
- assessment of the likely consequences of the data breach and the risk of harm
- remedial action taken by the data user to mitigate the risk of harm
- action that data subjects should take
- name, title and full contact details of the person responsible for engaging with the privacy regulator
The content of a data breach notification to a data subject will contain slightly less detailed information, and will typically include:
- description of the likely consequences of the data breach
- description of the measures taken or proposed to be taken to address the breach, including mitigation for adverse consequences
- name, title and full contact details of the person responsible for engaging with data users
The content of data breach notifications to data subjects must be written in plain and simple terms.
The general obligation in respect of personal data breach notifications to privacy regulators is that the notification must be given without undue delay and as soon as practicable. Many jurisdictions impose specific timeframes. These must be checked in respect of each set of laws to ensure that notice is given within the prescribed period. For instance, if the relevant privacy regulator is a supervisory authority in the EU, then businesses must notify the relevant supervisory authority within 72 hours of becoming aware of the personal data breach. In Hong Kong, the proposed data breach notification regime will include an obligation to notify the Privacy Commissioner within five business days.
These aggressive notification timelines are intentionally set to help drive the adoption by businesses of proper cybersecurity systems, policies and procedures, and encourage ethical accountability in respect of information security. A business will not be able to adequately deliver the content needed in the notification unless it has systems that promptly deliver accurate and necessary information, and policies and procedures to outline how to respond swiftly when it learns of a personal data breach.
The often very short notification timeline again underlines the importance of engaging external legal counsel in advance of any notifiable personal data breach. This will ensure that external legal counsel will be ready to act immediately and to assist with the preparation of the personal data breach notification as soon as instructions are given. Otherwise, delays may arise by virtue of the normal client onboarding processes required by law firms (and all professional service providers).
Data breach notifications are a very serious part of the data breach response plan. On the one hand, the notice must meet a minimum legal compliance standard in most jurisdictions. However, the notification will set the tone for many other elements of the data breach response. It will foreshadow the nature of enquiry and investigation by regulatory bodies, and start the public-facing part of the data breach response. An ill-conceived, inaccurate or disproportionate notification of a personal data breach may result in more harm to data subjects, and increased liability and reputational damage to the business.
Data breach notifications form part of a communication strategy. One of the challenges in breach notifications is to ensure consistent, accurate and complete communication of information to all persons that need to be notified. This applies on a number of levels. Communications certainly have a legal component, particularly with regulators. However, the subject of communication management is broader than just regulatory reporting obligations. The engagement of public relations and communication consultants with experience in crisis communications is often a necessary, prudent and helpful step.
It is important to involve external legal counsel from the start. In the course of its legal advice, external legal counsel may engage external technical experts, gather information about the breach and provide legal advice. This early involvement may help legal professional privilege to attach to confidential internal and external communications about the personal data breach.
8. The Management Approach
A data breach can be a crisis, and crisis management is a true test of character and leadership. How should executive management approach and respond to a data breach? This is as much an ethical and philosophical question, as it is a legal question. The response will be a true reflection of corporate culture and citizenship.
Should executive management notify a security incident?
This is different to the legal question of whether a data breach response must be notified. If a data breach must be notified, then executive management should focus on ensuring that it meets its legal obligations, and that other notices to other affected parties are consistent and appropriate to those affected.
A security incident or data breach in the current digital age is almost inevitable at some stage; the only question is when. This is a blessing in disguise for executive management. It can plan and prepare for the corporate response to a serious business risk, knowing that the effort involved will not be wasted as the risk is almost certain to vest. That management response, with proper forethought and planning, can be fully aligned with the culture and values of the business.
The principles underlying the management response to a security incident or data breach should be based on principles of ethics, accountability and culture. Otherwise, any lesser response may compound and aggravate the fallout of the security incident or data breach. Customers and other stakeholders may forgive and remain loyal to a business that provides an open, accurate and prompt response. That standard of response demonstrates maturity, sensitivity and care.
Any serious security incident or data breach is unlikely to remain a secret. This may occur in any number of ways. The security incident may get worse and trigger notifications to regulators, stakeholders, suppliers or customers. An employee or other stakeholder may unwittingly or intentionally make a disclosure. There may be litigation, or an investigation or inquiry, in which the security incident is disclosed. Once a security incident becomes public, delay in notifying will be considered an unwillingness to notify. This will be harshly assessed in the court of public opinion.
In short, placing the primacy of the protection of data subjects at the heart of corporate policy demonstrates good culture, commendable corporate citizenship, and proper principles, values and ethics within a business.
Speed vs Accuracy
A business should aim to promptly notify persons affected by a security incident or data breach. This simple fact is highlighted by the very short timeframes required in many jurisdictions if a mandatory data breach notice must be given. That time frame can be as short as 72 hours under GDPR. The regulators clearly believe that speed is a primary concern in the management response, and notifying the regulator and (if applicable) data subjects as soon as possible is a key priority.
A significant delay in notifying a security incident or data breach may be perceived as a case of mistaken priorities when that notification is finally made. This is the case even if the longer timeframe is needed so the business can take all reasonable steps to gather reliable and accurate information for the notification. This is the tension between speed and accuracy.
Accuracy is also critically important. The trust of customers and stakeholders will be challenged if a series of notices serves to highlight contradictions or misleading information. For instance, it is damaging if a business issues a speedy notice of a data breach incident, but that hastily prepared notice does not mention a critical element such as that the personal data affected included credit card information. Another common error is to underestimate the scale and impact of the security incident. Any benefit from prompt notice will be lost if that notice was misleading and did not give stakeholders the information they needed to respond appropriately.
Management needs to respond quickly and accurately. Management can achieve these objectives by:
- putting in place the systems, processes and procedures that will deliver accurate and timely information when a security incident occurs.
- preparing, reviewing and updating an incident response plan that fully outlines how a security incident should be identified and notified to the incident response team.
- conducting training to train management and the incident response team how to respond when a security incident occurs.
Preparation is key. If proper systems, processes and procedures are in place, then that should deliver the key information needed when a security incident occurs. This information includes:
- description of the security incident
- cause of the security incident
- type and amount of data involved
- type and category of data subjects (if personal data is involved)
- locations and geographies involved
- assessment of the likely consequences of the security incident and the risk of harm
The quality of available information will directly affect the speed and timeliness of the notification and announcement. If executive management has organised the information security of its business properly, then it should be confident to make an assessment based on substantially correct information within 24 hours of the security incident coming to light. That assessment can be subject to the sensible caveat that it is based on present information that might change.
There is an apparent tension between speed and accuracy. In practice, this is not the case. Effective executive management planning dissipates any tension and fulfils the twin objectives of being both fast and accurate.
Transparency vs Liability
Is it possible for management to be open and transparent, without making admissions that increase legal liability? Say too much publicly, and this information may lead to higher regulatory fines or damages in civil litigation. Say too little, and be perceived as being guarded and hidden, and insensitive to the interests of affected parties. This is another tension at the heart of the management response to a security incident or data breach.
Executive management needs to have a clear policy on how they approach this issue. A lawyer can advise on how to minimise legal liability. Usually, transparency and accountability are positive factors that are taken into account to mitigate the level of fines or other punishments in legal proceedings or regulatory investigations. However, fines and damages are not the only potential losses. The business issues are broader. Each business must also consider and weigh the other business costs in managing the fallout of a security incident or data breach. These could include lost revenue from departing customers, complications in manufacture and supply from departing suppliers, and lost opportunities in strategic partnerships or collaborations.
This is a complex and difficult balancing exercise. Management must consult its legal advisers, but the issues are broader than legal issues alone. This is where business culture and corporate values come to the fore.
The management of the response to a security incident or data breach is difficult and complex. It requires management to weigh and assess a broad range of factors. Any misjudgement in the moment can have enduring adverse consequences. Many of the judgements involved are value judgements. Effective management response will only follow if the business has clear values embedded in its systems, processes, procedure and people.
No management response to a security incident or data breach will be perfect. The business will be ahead of the curve if its incident response team is fully engaged and supported by accurate, timely information to support its operations. This allows the incident response team to give actionable, reliable information and guidance to management. This empowers management to execute a response to the security incident or data breach that is aligned to its corporate values.
Crisis management is a true test of character and leadership. Management is planning and process to support progress. The advantage for management is that a security incident or data breach is practically inevitable. Effective management will put in place planning and process now, so that the management of a data breach crisis can be a testament to the character and integrity of the business.
9. Role of the Legal Team
Lawyers play a critical role in the response to a data breach. Lawyers include the in-house legal team, and external counsel. One critical element of their role it to preserve legal professional privilege in the conduct of a data breach response.
The internal legal team
The basic role of the internal legal team is to advise and act on all legal issues and matters arising from the data breach.
The legal team will be directly involved in securing information to make an assessment of the legal position. They will seek to identify and secure information in respect of:
- the type of data involved;
- the location of the data;
- the volume of the data;
- the sensitivity of the data; and
- other critical information in respect of the scale and extent of the data breach.
Once the facts have been established, then the legal team will consider and provide advice in respect of legal obligations and the management of legal risks. This will involve a regulatory analysis. It may be necessary to give notification of the data breach to regulatory or supervisory bodies, or to the data subjects. The internal legal team will also review contractual obligations. Frequently, the commercial contracts of the business will contain notification obligations or other potential liability in respect of a data breach or a serious security incident.
Initially, the legal team will be primarily concerned with establishing the baseline for compliance with legal obligations. Once that has been assessed, the legal team will also consider strategic advice in which a range of possible actions are considered in the context of the legal consequences that might arise if that course of action is pursued.
The legal team will make sure that there are clear directions and steps taken to secure and preserve evidence gathered in the course of an investigation of a data breach. This will include establishing a chain of evidence and custody in respect of any internal enquiry into the cause and consequence of the data breach. This is essential, as the quality of evidence may become a substantive issue in any regulatory or legal proceedings arising from the data breach.
The legal team will also engage external legal counsel at the outset. This is important to ensure that legal professional privilege is maintained in respect of material documents and communications in the course of the investigation of the data breach.
The internal legal team and external counsel play complementary but contrasting roles in the data breach response.
The internal legal team knows the DNA of the organisation. The internal legal team will know how to get things done, and will have the internal executive mandate to direct particular actions. The internal legal team is the driving force for legal issues that need to be addressed within the company.
External counsel, on the other hand, are like the conductors of an orchestra. The role of external counsel is to make sure all incident response team members are aligned and working in harmony on matter of legal importance.
The selection of external legal counsel will be a key factor to the effective management of the data breach response. The key factors are:
Rapport: You will wish to engage legal counsel that is familiar with your business and industry. This may not necessarily be your “business as usual” counsel, as a data breach is not a “business as usual” event. However, it will be legal counsel whom you are familiar with, know can handle data breach matters and with whom you can work effectively.
Experience: You will wish to engage legal counsel who has direct relevant experience in handling data breach matters. This should be a core part of the credentials that are provided. A data breach is a crisis event, and not an occasion for learning on the job. Also, prior experience in dealing with regulators will be relevant.
Capability: You will wish to engage legal counsel that knows how to navigate and manage the international aspects of a data breach. Notifications and remedial measures may be needed in a number of jurisdictions. You will want legal counsel that has relationships with lawyers in multiple locations – whether through its network of contacts at other law firms or other offices of the same law firm – to respond rapidly to those international dimensions.
Legal professional privilege
There are two forms of legal professional privilege.
Legal advice privilege applies to all communications between a solicitor or a lawyer and his client for which the giving of legal advice is the dominant purpose of the communication in question. In appropriate circumstances, privilege can apply to a chain of communication even if legal advice was not necessarily given in each communication in that chain.
Litigation privilege applies to advice or support that is given in contemplation of or for the dominant purpose of defending or bringing legal proceedings.
Legal professional privilege preserves the confidentiality of communications and documents that are obtained in the course, or created in the course, of an investigation into a data breach incident. This allows a complete assessment, and candid advice to be given. This candour is essential for a business so that it can receive clear advice on necessary action, and strategic advice on possible options. None of this would be possible if the confidentiality of those communications was in doubt.
Rapid legal response
The selection of external legal counsel should occur before a data breach occurs. It is part of incident response planning. The pre-engagement formalities should be cleared before an incident occurs. In modern legal work, it can take days (or longer if complications arise) for client onboarding to be completed. There are conflict checks, anti-money laundering checks, and administrative formalities to be attended to. This should be done in advance.
The external legal counsel that has been engaged in principle, should conduct a similar exercise in which the law firm has engaged other external professionals in principle and arranged for its onboarding processes to be completed. This is critical in respect of the engagement of technical experts, but also necessary for other professionals such as public relations advisers.
This allows a rapid response when a data breach occurs. The external response team should be primed for the engagement. The external legal counsel should be able to confirm its ability to act swiftly, and directly engage the technical experts almost simultaneously. This will allow for immediate sharing of information and preliminary advice to be given in closed communications governed by external legal counsel, all protected by legal professional privilege. An added benefit is that prior planning of this nature will provide an opportunity to benefit from training, including simulating a data breach and the team’s response.
The role of the legal team is critical in an effective data breach response. The internal legal team will drive many of the actions needed to gather, secure and analyse the data breach, and giving ongoing legal advice to issues as they arise. Experienced external legal counsel will quarterback the overall legal work involved, and co-ordinate, manage and advise other external parties involved in the incident response team. The engagement of external legal counsel before an incident occurs allows the external legal counsel to respond quickly, and mobilise the rest of the external team, under the protection of legal professional privilege. This is the secret sauce of managing legal risks in the data breach response.
10. Managing Regulatory Enquiries
A letter arrives from the Privacy Commissioner. There are awkward questions. Well, settle in for the long haul. You are now at the start of an inquiry. Here are ten tips to help you to respond to a regulatory inquiry on a data breach.
Tip #1: React
The worst thing to do when a business receives an enquiry letter from a regulator is to do nothing. An enquiry letter is the first step in a process that may lead to a formal inquiry. A prompt response – even if only an acknowledgement – creates a favourable impression. This may seem a simple step. However, a regulator may not know at the outset how to identify the correct person to address its enquiries. The letter may not be addressed to a named person, or may be address generally to the “Board of Directors”. Unless there has been proper forethought, a business may not know it has received the letter or communication in the first place. So, a business must ensure it has a process, reinforced with training, so that official letters find their way from the metaphorical or actual mailroom to the desk or inbox of the correct responsible person. This internal delivery must happen promptly. The manner in which this delivery occurs must also ensure that the correct level of priority is attached to the communication. The process must be designed to ensure a prompt reaction to the first communication from the regulator. First impressions last.
Tip #2: Contact legal
Queries from a regulator are not idly made, and an enquiry letter is not routine correspondence. Make sure you immediately contact your legal team. This is an important legal matter. It is not something that can be dealt with by an operational team. It requires legal advice. So contact your legal team – internal or external – immediately from the outset.
Tip #3: Preserve legal professional privilege
There’s a very particular and specific reason why engaging external legal counsel as soon as possible is imperative. If a business engages lawyers to take legal advice in contemplation of legal proceedings (such as a regulatory inquiry), then that advice will be subject to legal professional privilege.
This privilege can extend to communications with other persons that are engaged by the advising lawyers to assist in response to those inquiries. The response to a regulatory inquiry in respect of a data breach invariably requires assistance from technical experts. Legal professional privilege should extend to the communications with the technical expert to prepare those responses, provided the technical expert was engaged by the law firm for the purpose of assisting with the legal issues arising from the data breach.
These principles can apply to communications to other persons in the incident response team. Think of external legal counsel as the conductor of the orchestra. All must be directed to and controlled by him. If external legal counsel is more like a spectator in the audience, then the performance will not achieve a round of applause at the end.
Legal professional privilege is important as it provides the space and security for the incident response team to properly manage and respond to a regulatory enquiry based on informed legal advice.
Tip #4: Information management
An enquiry letter does not come out of the blue. The data breach has happened. You have information in relation to it. Review that information critically and carefully. Make sure that information, and all supporting documents and materials, are gathered, organised and arranged in a coherent way. Make sure that information, documents and materials are stored securely with limited and controlled rights of access. The objectives are to preserve the integrity of the evidence, and to arrange the evidence coherently for ease of analysis. This will help ensure that any response to the regulator is accurate, consistent and can be delivered in a timely manner.
Tip #5: Respond with care and clarity
An enquiry letter is just the opening salvo in what could become a lengthy process. The responses to initial enquiries may lead to further avenues of enquiries. This is sometimes inevitable. However, sometimes it is possible to avoid widening the scope of enquiry. Here are some basic principles:
- Answer the question that is asked. There is no need to explain more. If a question is sufficiently answered with a simple yes or no, then just deliver that response. A short, factual response is almost always the best response. Sometimes, there is a human desire to explain more. This usually results in providing information that is not the target of the question.
- Don’t make assumptions about the question that is asked. Don’t read more into the language than a plain reading of the language conveys. Don’t assume questions are following a specific line of attack. These assumptions can arise from your awareness of information and circumstances that the regulator does not (yet) know.
- Don’t make any admissions of fault or liability unless you have taken specific legal advice in respect of those admissions. Any assessment of fault or liability is for a later stage. An enquiry letter is the start of an inquiry, not its conclusion.
- Stick to the facts. Do not be tempted to make judgments or opinions. Also, keeping to the facts is the best means of ensuring that the responses do not unintentionally mislead.
- Carefully review (and review again) your responses and any supporting documents that you disclose. Those will soon be in the hands of a regulator that will rigorously and critically assess them.
Tip #6: Continue recovery and remediation
Move ahead with remedial action, and ensure there is no delay in that process arising from the inquiry. The inquiry is not a distraction. It is part of the process. This is one of the reasons why the technical team in the incident response is frequently insulated from other members of the incident response team. It ensures their proper focus remains on recovery, restoration and remediation.
Also, the steps taken in recovery and remedy will constitute good evidence of mitigation, even if an adverse finding is made in an inquiry. So, even if there have been breaches of data protection principles, fast and effective remedial action that prioritises the interests of data subjects will be a favourable factor regardless of the ultimate outcome.
Tip #7: Co-operate
It is important to provide prompt, professional responses that directly address the enquiries of the regulator and to exhibit an attitude of co-operation in that process. Avoid an unnecessarily adversarial approach; this is counter-productive. Co-operation does not mean admitting fault or volunteering answers to questions that have not been asked. It is simply an effective and efficient approach to dealing with the inquiry. A co-operative approach is likely to result in a favourable comment in the investigation report from the regulator. This will demonstrate positive corporate culture and ethical handling of the inquiry.
Tip #8: Understand the process
It is important to understand the powers of the regulator, and the normal course of the conduct of an inquiry. This helps to avoid creating issues or disputes in respect of procedure, and to respond reasonably to requests that are within the powers of the regulator.
Tip #9: Implement regulator recommendations and directions
If the regulator has completed an inquiry and issued an investigation report with directions, then it is essential that those directions are fully and effectively implemented within the prescribed timeline. The reasons are twofold. First, this shows good corporate citizenship. Remedial actions prescribed in an investigation report are constructive recommendations. They are a strong indication of what is the “right thing” to do. Following those directives may represent a virtue salvaged from a difficult situation. Second, failure to comply with directions may result in more severe consequences such as criminal offences and penalties including fines and imprisonment.
Tip #10: Review and learn
A data breach is inevitable in the current information age. Learning from each security incident helps to reduce the risk of the same security incident occurring again. Learning is not an ad hoc matter. The learning process must be operationalised. The learning process should focus not only on the data breach itself, but also the effectiveness of the response to it. The review of the response to the data breach must have as a critical element a review of the response to any regulatory inquiry. Any deficiencies should be identified, and practical changes should be made to the incident response plan. The objective is to learn and improve, and implement better systems to respond more effectively in future.
There it is. Ten tips to help you stay the course through the difficult waters of a regulatory inquiry to a data breach. Certainly not enough to cover all the issues that may arise – but food for thought.
A data breach is inevitable. This often triggers a regulatory investigation. The regulator in question may be the privacy regulator, or another regulated for the specific industry sector. In any event, responding effectively to an inquiry conducted by a regulator is a critical element of the data breach response. This is where experienced counsel and sage legal advice come to the fore.
11. Managing Liability Risk
The stakes are high after a data breach. There is a clear and present danger of legal liability. The primary role of the lawyer is to manage and mitigate liability. Senior management will focus on broader commercial issues. Legal advice will feed into that assessment, and senior management will need clear advice on the scale, variety and probability of liability.
For present purposes, we can divide potential liability into three broad categories.
Criminal liability may arise because the circumstances in respect of the data breach may have resulted in the commission of a criminal offence. This can arise, for instance, if there is a statutory cybersecurity framework that applies to the business. Criminal offences can also arise for contravening an enforcement notice from a privacy regulator, obstructing the proper exercise by a privacy regulator of his functions, or knowingly making false or misleading statements to the privacy regulator.
The consequences of criminal liability can be severe. The persons who commit the offence are responsible, and this can include directors of the company. The outcome can result in criminal fines and potentially imprisonment.
Most businesses will focus on administrative fining powers of regulators as a core concern. This is different to criminal liability. You don’t go to prison if a regulator imposes an administrative fine. However, many jurisdictions have either adopted or are considering introducing turnover based fining powers for privacy regulators. The most notable trailblazer in this regard is the General Data Protection Regulation adopted in the EU. Administrative fines for certain matters under GDPR can be as much as 4% of global turnover. The potential impact of a fine of that magnitude is breath-taking. There have been some very significant fines imposed for data breaches under GDPR. For instance, in 2019, Google Inc. was fined €50,000,000 by the French courts on the grounds of insufficient legal basis for data processing in that particular matter.
If a data breach has already occurred, then there may be some breaches of applicable laws that may, in any event, result in an administrative fine. In the data breach response, though, it may be possible to mitigate the extent of those fines. It is important to consider the factors the regulator will take into account when assessing the level of the administrative fine. A prompt notification of the data breach, and co-operative response to regulatory enquiries, can lead to positive comments in an investigation report, and perhaps to some mitigation of the level administrative fine imposed. Co-operation does not mean waiving legal professional privilege. It means proper, prompt and responsible conduct in the context of the investigation.
Another important mitigating factor in the assessment of administrative fines is the extent to which the business has adhered to adequate policies and procedures to secure personal data from unauthorised access, use or disclosure. A regulator will assess those policies and procedures both on paper and in practice. Key factors that will be assessed include:
- Have policies been communicated consistently and frequently to those who should know them?
- Has there been adequate training and incident preparation?
- Is the chain of responsibility in respect of information security adequately identified?
- Is there accountability at the board level?
- Has the business deployed adequate resources to support the policies and procedures in place?
- Has the incident response team responded quickly and effectively?
- Has the risk of harm to data subjects been promptly assessed and acted upon?
It will be difficult to achieve a positive outcome on an assessment of these factors unless there has been a systematic and consistent approach to information security before the data breach occurred.
Civil liability for data breaches can arise in a number of ways. Let’s focus on two – liability to a data subject for infringement of his individual rights, and liability to a contracting party.
A data subject may have an individual right under applicable data protection laws to bring civil claims for damages for his loss arising from the data breach. For instance, in Hong Kong, an individual can claim compensation from a data user if he has suffered damage (including injury to feelings) by reason of a contravention of statutory obligations by a data user which relates to his personal data. The challenge with claims of this nature is that it can be difficult to establish loss. The loss can be indirect or remote from the data breach itself. Consequently, the level of damages awarded per individual claim can be comparatively low. This acts as a disincentive to bringing claims.
Some jurisdictions have addressed this issue by prescribing the amount that is payable to an individual in respect of a data breach under an individual claim. Also, in some jurisdictions, the Courts may be amenable to class actions in which a group of plaintiffs in similar circumstances bring a claim together. Class actions may not be possible, or are procedurally difficult, in some jurisdictions – including Hong Kong. These approaches are intended to address the concern that there must be effective policing and enforcement of compliance with data protection laws to achieve good data management and protection practices in business. An active civil jurisdiction giving individual data subjects effective rights of action should be a key element required to achieve this objective.
Contractual liability may represent a more direct and impactful risk to a business. Commercial contracts frequently include covenants in respect of business continuity or data security. A data breach may have serious consequences to those contracting parties. There may be an inability to perform related contracts in the supply chain. There may be potential loss of business opportunity or business reputation of third parties arising from the data breach. A key priority for the legal team is to review contracts and assess the risk of claims for breach of contract arising from the data breach. The legal team will also need to assess other potential areas of legal risk, including the risk of claims arising under negligence.
The potential liabilities that may flow from a data breach are many, varied and complex. The mitigation of legal risk is the core and critical work of the legal team after a data breach. Inevitably, the business will need the help and support of experienced external legal counsel.
12. Cyber Insurance
Ask an insurance broker, and they will tell you that an insurer needs claims in order to survive. Ask an InfoSec expert, and they will tell you a data breach is inevitable. This is why cyber insurance has come of age. Cyber insurance as a critical part of a data breach response strategy.
Why do businesses take out insurance? It is all about risk management. A business may be able to exclude or limit liability by contract. Risk can be managed and mitigated by policy, process and training. Some risk can be absorbed as a cost of business. Certain risks, though, can be catastrophic and also have a reasonable probability of occurring. This is the sweet spot for insurance. Insurance is a form of risk transfer in which the financial responsibility for costs arising from certain risks is transferred from the business to the insurer in accordance with the policy.
Insurance responds to the business risk environment. 30 years ago, cyber insurance was not attractive. In the past five years, in particular, it is practically a business necessity. This is insurance responding to the cyber risk environment.
The scope of coverage under a cyber policy should be carefully reviewed. In general, the cover will include:
Direct loss: Cyber insurance will cover the direct loss that flows from a cybersecurity incident or data breach. This will include:
- Technical IT costs. These are the costs incurred in the forensic IT review and response to the data breach. Technical experts are typically engaged to identify the cause of the breach, restore the IT systems, and build more resilient systems. This is the most significant cost in a data breach response.
- Legal costs. This will typically include legal costs in respect of notification procedures, legal proceedings, and regulatory investigations.
- PR costs. This will include the costs of public relations firms to co-ordinate the communications in respect of the data breach.
- Hotline costs. Frequently, a hotline will be set up so that the business can respond directly to queries of data subjects or other people affected by the breach.
- Administrative fines. A data protection authority may impose an administrative fine in respect of a data breach, and cyber insurance will cover the amount of the administrative fine. Any cover for fines would be qualified by exclusions in respect of intentional, reckless or criminal acts.
Third-party risk: Cyber insurance can also cover loss suffered by the business arising from a security incident of another business. This is particularly relevant given the increasing number of supply chain data breaches.
Geographical cover: Data makes money when it moves. A business’ data will often be held in multiple locations, and the data subject or other affected persons may be in a number of places. The policy cover should include losses that arise in other places where you conduct business.
Insurance can be customised. Cyber insurance could cover more than this general summary. Each business should discuss its cyber insurance needs carefully with its broker.
All policies will contain exclusions from cover, which means that the policy will not pay out for those excluded matters. Common exclusions are:
Reputational loss: Data breaches can have a significant adverse consequence to the reputation of a business. For large publicly listed businesses, it may even be possible to measure the reputational loss that can be attributed to the data breach. However, normally, reputational loss is a subjective assessment that is inherently difficult to assess and is therefore excluded from cover under a cyber insurance policy.
Intentional, reckless or criminal acts: This is a common exclusion. A policy won’t cover loss, fines or penalties that arise from intentional, reckless or criminal acts.
There are other common exclusions, and these should be reviewed carefully.
Getting cyber insurance
A business should speak to its normal insurance broker if it wishes to review its cyber insurance coverage. The insurance broker will help the business to assess its needs, match those needs to the most suitable available policy in the market, and complete the assessment and application for insurance. The assessment for cyber insurance is rigorous and will include an assessment of current IT systems and information security policies. Other relevant factors will be the geographical coverage needed, size of the business, the number of employees, and claims history and track record.
Different pricing options may be possible according to the deductibles and coverage limits or sub-limits that are negotiated.
A data breach is inevitable. Resilient systems, good policies and procedure, and regular training are all necessary and all help to manage cyber risk. Still, even for businesses with good cyber hygiene, a data breach is inevitable.
The key advantage of cyber insurance is that the business does not have to suffer a substantial part of the financial loss arising from a data breach. That risk is transferred. The business can continue and survive, even after a catastrophic event.
Cyber insurance is not an optional extra. It is a core business need. No data breach response plan is complete without it.
 For example, see sections 50A and 50B, Personal Data (Privacy) Ordinance (Cap. 486) in Hong Kong.
 Though not yet in Hong Kong. The Privacy Commissioner in Hong Kong does not have administrative fining powers. This may change if announced legislative proposals are passed into law. See an article summarising the proposed changes here.
 A data user is the approximate equivalent in Hong Kong to a data controller under GDPR.
 c.f. section 66, Personal Data (Privacy) Ordinance (Cap. 486)