Data Breach Response: The management response

A data breach can be a crisis, and crisis management is a true test of character and leadership. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt looks at how executive management should approach and respond to a data breach, and highlights that the response will be a true reflection of corporate culture and citizenship.

Should executive management notify a security incident?

This is different to the legal question of whether a data breach response must be notified. If a data breach must be notified, then executive management should focus on ensuring that it meets its legal obligations, and that other notices to other affected parties are consistent and appropriate to those affected.

A security incident or data breach in the current digital age is almost inevitable at some stage; the only question is when. This is a blessing in disguise for executive management. It can plan and prepare for the corporate response to a serious business risk, knowing that the effort involved will not be wasted as the risk is almost certain to vest. That management response, with proper forethought and planning, can be fully aligned with the culture and values of the business.

The principles underlying the management response to a security incident or data breach should be based on principles of ethics, accountability and culture. Otherwise, any lesser response may compound and aggravate the fallout of the security incident or data breach. Customers and other stakeholders may forgive and remain loyal to a business that provides an open, accurate and prompt response. That standard of response demonstrates maturity, sensitivity and care.

Any serious security incident or data breach is unlikely to remain a secret. This may occur in any number of ways. The security incident may get worse and trigger notifications to regulators, stakeholders, suppliers or customers. An employee or other stakeholder may unwittingly or intentionally make a disclosure. There may be litigation, or an investigation or inquiry, in which the security incident is disclosed. Once a security incident becomes public, delay in notifying will be considered an unwillingness to notify. This will be harshly assessed in the court of public opinion.

In short, placing the primacy of the protection of data subjects at the heart of corporate policy demonstrates good culture, commendable corporate citizenship, and proper principles, values and ethics within a business.

Speed vs Accuracy

A business should aim to promptly notify persons affected by a security incident or data breach. This simple fact is highlighted by the very short timeframes required in many jurisdictions if a mandatory data breach notice must be given. That time frame can be as short as 72 hours under GDPR. The regulators clearly believe that speed is a primary concern in the management response, and notifying the regulator and (if applicable) data subjects as soon as possible is a key priority.

A significant delay in notifying a security incident or data breach may be perceived as a case of mistaken priorities when that notification is finally made. This is the case even if the longer timeframe is needed so the business can take all reasonable steps to gather reliable and accurate information for the notification. This is the tension between speed and accuracy.

Accuracy is critically important. The trust of customers and stakeholders will be challenged if a series of notices serves to highlight contradictions or misleading information. For instance, it is damaging if a business issues a speedy notice of a data breach incident does not mention that the personal data affected included credit card information. Another common error is to underestimate the scale and impact of the security incident. Any benefit from prompt notice will be lost if that notice was misleading and did not give stakeholders the information they needed to respond appropriately.

Management needs to respond quickly and accurately. Management can achieve these objectives by:

• putting in place the systems, processes and procedures that will deliver accurate and timely information when a security incident occurs.
   
• preparing, reviewing and updating an incident response plan that fully outlines how a security incident should be identified and notified to the incident response team.
   
• conducting training to train management and the incident response team how to respond when a security incident occurs.

Preparation is key. If proper systems, processes and procedures are in place, then that should deliver the key information needed when a security incident occurs. This information includes:

• description of the security incident
  
• cause of the security incident
   
• type and amount of data involved
   
• type and category of data subjects (if personal data is involved)
   
• locations and geographies involved
   
• assessment of the likely consequences of the security incident and the risk of harm

The quality of available information will directly affect the speed and timeliness of the notification and announcement. If executive management has organised the information security of its business properly, then it should be confident to make an assessment based on substantially correct information within 24 hours of the security incident coming to light. That assessment can be subject to the sensible caveat that it is based on present information that might change.

There is an apparent tension between speed and accuracy. In practice, this is not the case. Effective executive management planning dissipates any tension and fulfils the twin objectives of being both fast and accurate.

Transparency vs Liability

Is it possible for management to be open and transparent, without making admissions that increase legal liability? Say too much publicly, and this information may lead to higher regulatory fines or damages in civil litigation. Seek too little, and be perceived as being hidden and insensitive to the interests of affected parties. This is another tension at the heart of the management response to a security incident or data breach.

Executive management needs to have a clear policy on how they approach this issue. A lawyer can advise on how to minimise legal liability. Usually, transparency and accountability are positive factors that are taken into account to mitigate the level of fines or other punishments in legal proceedings or regulatory investigations. However, fines and damages are not the only potential losses. The business issues are broader. Each business must also consider and weigh the other business costs in managing the fallout of a security incident or data breach. These could include lost revenue from departing customers, complications in manufacture and supply from departing suppliers, and lost opportunities in strategic partnerships or collaborations.

This is a complex and difficult balancing exercise. Management must consult its legal advisers, but the issues are broader than legal issues alone. This is where business culture and corporate values come to the fore.

Closing thoughts

The management of the response to a security incident or data breach is difficult and complex. It requires management to weigh and assess a broad range of factors. Any misjudgement in the moment can have enduring adverse consequences. Many of the judgements involved are value judgements. Effective management response will only follow if the business has clear values embedded in its systems, processes, procedure and people.

No management response to a security incident or data breach will be perfect. The business will be ahead of the curve if its incident response team is fully engaged and supported by accurate, timely information to support its operations. This allows the incident response team to give actionable, reliable information and guidance to management. This empowers management to execute a response to the security incident or data breach that is aligned to its corporate values.

Crisis management is a true test of character and leadership. Management is planning and process to support progress. The advantage for management is that a security incident or data breach is practically inevitable. Effective management will put in place planning and process now, so that the management of a data breach crisis can be a testament to the character and integrity of the business.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.