The first of three hypothetical scenarios examined by a board as part of the AICD’s Governance Summit this week was a malicious data breach.

The initial response to this ‘breach’ was not a smooth one.

In the first five minutes of the scenario, there was confusion about what to do and who was doing what - a crucial time when the CEO could have been in a much better position to assist the board if he and his executive team had worked through some disciplined breach preparation, including preparing a plan in advance of an actual breach.

If a plan had been prepared, the hypothetical CEO would have been able to say something along the lines of “we have a breach response plan, we know what we are doing, roles and responsibilities have been set, timings have been set, we have activated it.” And while all of this activity is going on, the board can focus on the high level public facing crisis issues.

This scenario reminded me that while there was a rush of interest in preparing for data breach notification in February 2018 and again at the end of May when the GDPR was introduced, many businesses may have not revisited the issue since - or their response readiness.

Dealing with a data breach takes some planning and, to reuse a tried but tested phrase, failing to plan is planning to fail.

In a crisis, you need to be able to simply execute and everyone needs to know their role and responsibility.

The time spent by an executive team, either running a scenario or simply going through the plan and allocating roles, is a few hours well spent and more than recoups itself in the event of a crisis.

Holding Redlich is well positioned to assist you in planning for a suspected data breach and assisting to assess if there is risk of serious harm and responding. Even if you haven’t planned in advance, we can help with responses and assessing the options you need to take having regard to legal requirements and the likely view of the court of public opinion. Reputation is a key issue in any breach assessment process.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.