Data Breach Response: The first 24 hours

15Jan2021

A data breach can be a crisis, but if you have a plan for the first 24 hour response, you can avoid making a drama out of a crisis. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt explains what immediate steps are needed and how to navigate the first 24 hours after a data breach has been reported.

Activate the incident response team

The first inkling that a data breach has occurred is when an incident is notified. If the right systems are in place, all persons should be empowered to notify when an event does not follow security protocols or processes, and gives rise to a risk of exposure of data or unauthorized access to data. Also, it should be clear to whom that notice should be given, and what information should be available and given.

The next immediate step is to activate the core members of the incident response team to assess the incident and make preliminary judgements on the action and response needed. This assumes that there is an incident response team, and the incident response plan clearly identifies the core team members that must be actively involved from the outset. Also, the contact details and means of contact for those core team members should be readily available.

If the initial assessment of the incident response team is that a serious incident or even data breach has occurred, then immediate thought should be given to engaging external legal counsel. A key recommendation for all incident response plans is that external legal counsel should be designated for incident response legal advice, and all conflict and onboarding procedures for that law firm should be cleared before an incident occurs. Assuming that recommendation has been followed, external legal counsel will be able to respond swiftly. Communications involving external legal counsel for the purpose of legal advice will be benefit from legal professional privilege. This helps to manage legal liability.

The initial assessment

Once the incident response team has been activated, the assessment of the incident can be started in earnest. The assessment steps are:

Assess the incident: The purpose of assessing the incident is to ensure the response to the incident is proportionate. A business should not underestimate the response to a serious incident, nor deliver a sledgehammer response to a relatively minor incident. The key ingredient to this immediate assessment is to be able to readily obtain accurate information.

Identify the cause: An immediate need is to confirm whether the incident or breach is continuing. The primary objective is to ensure that the IT systems are secured. This means that the cause of the incident must be identified as soon as possible, and all steps or factors giving rise to the incident must be removed. Then, immediate steps must be taken to mitigate any exposure or loss of data.

Assess the data: If data has been exposed or lost in the incident, then the initial assessment should seek to identify the nature of the data involved, whether personal data is affected, and if so, the sensitivity of that personal data. The initial assessment will also try to gauge the volume of data affected, and the geographies involved in the affected data storage or loss.

Start the data breach response

Once an initial assessment has been conducted, then it is time to make the first proactive response. These responses will be directed towards achieving the following objectives:

Minimise harm: The primary objective of a data breach response is to minimise the harm caused by the loss of data and the data breach to data subjects in the first instance, and then the business. Any action or response after the initial assessment should be directed towards achieving this primary objective.

Compliance: As a minimum threshold, the data breach response must comply with minimum legal and compliance thresholds. Those requirements will not merely be requirements set out in privacy legislation, but may also exist in sector specific or consumer protection regulations.

Notifications: One of the major initial steps to take is to identify whether a data breach constitutes a notifiable data breach, and if so, to prepare and deliver the data breach notification with the required information within the stipulated timeframe. This notification is likely to frame the course of any subsequent regulatory investigation. Notification obligations are not limited to regulators. Other notifications also need to be considered – such as to data subjects, stock exchanges, or insurers.

Some key steps

Here is a high level summary of the critical steps to take immediately after a data breach.

Assess and contain

  1. Engage internal security and IT personnel, and consider engaging external technical experts, if monitoring of the IT system shows unusual activity.
     
  2. If a data breach is identified, activate a response team. The response team should include:
     
    1. an executive with decision-making authority;
       
    2. a team leader responsible for overall coordination;
       
    3. external legal counsel;
       
    4. internal security and IT personnel;
       
    5. external technical experts; and
       
    6. representatives from key functions including legal, human resources, customer relations, public relations, operations, and finances.
       
  3. Engage and involve external legal counsel from the start. In the course of its legal advice, external legal counsel may engage external technical experts, gather information about the breach and provide legal advice. This early involvement may help legal professional privilege to attach to confidential internal and external communications about the breach.
     
  4. Conduct an initial assessment to determine the severity of the breach and the response required. The initial assessment should cover:
     
    1. identify the nature of the data breach (e.g. unauthorised access of hardware, hacking, unauthorised disclosure of data, accidental loss);
       
    2. identify who caused the data breach (e.g. cyber criminals, employees, external service providers);
       
    3. the date and time of the data breach, and whether it is on-going;
       
    4. what data, and what categories and classes of data, are compromised;
       
    5. if there has been breach of personal data, how many people are affected, what categories or classes of persons are affected, who those affected persons are, and where they are located; and
       
    6. what are the likely consequential losses flowing from the data breach (e.g. unauthorised transactions resulting from the loss of payment credentials).
       
  5. Take immediate action to contain the breach and minimise loss, working with external technical experts as needed. This may include:
     
    1. isolate the affected systems to prevent further loss or unauthorised disclosure of data.  If necessary, the affected systems may have to be disconnected or powered off with help from IT personnel;
       
    2. secure evidence of the data breach, including taking a dynamic copy of the affected systems, preserving system log files, physical workstations, and security footage of access to affected hardware;
       
    3. if account data is compromised, prevent secondary loss of data by changing log-in credentials;
       
    4. stop all practices that led to the data breach.  This may involve temporary suspension of access to non-essential services until the cause of the breach can be ascertained;
       
    5. if an insider breach is suspected, suspend the suspected persons’ access to IT systems and hardware;
       
    6. if there has been unauthorised disclosure of data to the public, trace where the data is being disclosed.  Immediately remove improper information on your organisation’s website.  If data is exposed elsewhere on the internet, contact owners of other websites to take down the data.  Contact search engines such as Google to request removal of links to and cached versions of data;
       
    7. if information has been disclosed to a third party who is likely to cooperate (e.g. someone with whom the organisation has pre-existing contractual arrangements, or a regulated body such as a bank or law firm), contact the third party to ascertain who has accessed the data, request that the data be permanently deleted, and seek an undertaking from those persons who have accessed the data that they will not further disclose it; and
       
    8. if the persons responsible for the data breach can be identified and located, consider legal proceedings to obtain injunctions to prevent further unauthorised access or disclosure of data, and to secure return of stolen funds or data.
       
  6. All information about the breach and the response should be documented and kept secure. This information will be important for internal review and as evidence in legal proceedings.
     
  7. In consultation with external legal counsel, alert internal financial functions and third parties making payments to your organisation of possible fraud attempts. Data other than financial data can be used to commit fraud (e.g. non-financial data such as emails could be used for socially engineered fraud).
     
  8. Consider contacting local and overseas law enforcement agencies if there is evidence of crime. If there has been unauthorised payments, external legal counsel in both the originating and receiving jurisdictions may be able to apply to court to freeze the proceeds.
     

Notification and announcement

  1. Take advice from external legal counsel on the mandatory and best practice notification requirements for data breaches in your jurisdiction as well as every jurisdiction in which your organisation is active. Foreign notification requirements may apply to your organisation if personal data of people residing in those jurisdictions is involved. Consult with local and overseas counsel to fulfil all notification requirements.
     
  2. Depending on the severity of the breach of the likelihood of harm to individuals whose data has been exposed, notify the individuals affected by the breach as soon as practicable. Consult external legal counsel to prepare the content of the notification. Notifications should include information on:
     
    1. how and when the data breach took place;
       
    2. what are the types of personal data exposed;
       
    3. what the organisation has done to contain the data breach and prevent harm to those individuals;
       
    4. actions the affected individuals can take to prevent harm (e.g. change log-in passwords, examine their credit card statements for unauthorised transactions etc.);
       
    5. contact details of the organisation.
       
  3. Notification to affected individuals may not be always appropriate.  For example, where there is a high degree of assurance that the data would not be accessed or disclosed (e.g. due to undertakings from trusted third parties, encryption, or successful remote wiping of data), the stress and anxiety likely to be caused by the notification may outweigh the benefit of the notification. Individual characteristics of the affected persons such as their vulnerability, age, and understanding should be considered. Consult external legal counsel.
     
  4. If your organisation maintains insurance covering cyber security incidents, consult external legal counsel and insurance brokers to make appropriate notifications to insurers under the policy.
     
  5. If your organisation is a regulated body, consult with external legal counsel on whether and how to notify the regulator of the data breach.
     
  6. Consider if a public or general announcement is appropriate, for public relations or similar business purposes. Consult with public relations consultants and external legal counsel on the content of any public or general announcement.

Closing thoughts

The first 24 hours after a data breach are critical. The response plan for this period will look to achieve three goals. First, activate the incident response team. Second, conduct an initial assessment and triage of the security incident. Third, take the first action steps to secure the IT systems, fix vulnerabilities, and consider notifications. These three steps are not necessarily in sequence, and much of the activity will overlap and converge. External legal counsel should be immediately and closely involved, and we, at Tanner De Witt, have substantial experience in providing strategic legal advice in this emergency and crisis response. We are here to help.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Edmond Leung
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.