Introduction
Data breaches have become increasingly rampant in recent years and Malaysia is no exception. The consequences of data breaches for companies can be devastating, including significant financial losses and legal ramifications. Such incidents may also permanently undermine the trust of customers and even the general public in the company or brand concerned.
In this alert, we provide some guidance on how a company should respond to a data breach to mitigate its liability as well as damage to reputation.
Step 1: Containing the Data Breach
The first step in responding to a data breach is to identify the source of the data breach. This usually involves the usage of specific tools to monitor network activity used to identify unusual network traffic patterns or repeated attempts to access sensitive data. Analysis of system logs can also be helpful in detecting anomalies or errors that may indicate a data breach, such as failed login attempts or unusual file access patterns.
Once the source of the data breach has been identified, immediate action should be taken to isolate the affected systems or devices by shutting down the affected systems or disconnecting them from the network. The importance of promptly arresting a data breach cannot be overstated as it can help minimise the damage caused by the breach and reassure customers of the company's commitment to safeguard their sensitive and personal information. Given the urgency associated with data breaches, companies should establish a proficient in-house team capable of undertaking these steps without delay. If this is not feasible, companies should have a response plan in place so that an external expert can be brought in on short notice.
Step 2: Assessing the Damage of the Data Breach
Companies should thoroughly assess the damage caused by the data breach to ensure that steps can be taken to prevent further exploitation of leaked data by the perpetrators. Additionally, companies should also seek legal advice on their potential liability to customers and relevant authorities so that appropriate measures can be taken to mitigate their liability.
Step 3: Notifying the Relevant Authorities and Affected Parties
Step 3: Notifying the Relevant Authorities and Affected Parties Currently, the Personal Data Protection Act 2010 (“Act”) does not make it mandatory to notify the relevant authorities of a data breach. Nevertheless, it may be a good idea and practice to notify the authorities regarding a data breach as it will demonstrate the company's transparency in regards to the incident and the necessary measures taken to ensure that it does not recur. Such voluntary action may be taken into account by the authorities in considering whether to impose the penalties applicable under the Act.
Further, companies should also take steps to notify the affected parties of the data breach. Although this may be counterintuitive to the management, it would certainly be better for the customer to learn about the breach directly from the company, rather than from external media or online forums.
Step 4: Identifying the root causes of the data breach
The next step should be to fully investigate the cause of the breach. Such investigations may include conducting a forensic exercise of existing security frameworks to identify the methods used by the attackers and the weaknesses of the existing frameworks. The forensic exercise should also include reviewing policies and procedures, assessing network and system configurations, and examining the overall security posture of the organisation.
If the data breach arose from a system or application implemented by a service provider, it may be useful to seek advice on the existing contractual arrangements with the service provider to determine whether:
(1) They are legally responsible to undertake the necessary remedial measures; and/or
(2) They may be held accountable for any liabilities incurred by the company arising from the breach.
Depending on the terms of the agreement, a service provider's refusal to accept responsibility for the data breach may give rise to a claim for breach of contract and/or negligence in which case the company may pursue legal action for remedies such as specific performance, damages, and indemnification.
Step 5: Aftermath
Once a temporary solution has been implemented to address the immediate concerns of a data breach, companies should also evaluate whether their security frameworks are susceptible to a wider range of threats. In this regard, the company should examine their contracts with existing service providers to evaluate whether such measures would be within the service providers' scope of work. By doing so, the company may avoid incurring additional costs and allocate resources more efficiently.
Due to the dynamic nature of cybercrime, companies should take a holistic approach to security management. This may involve implementing new security controls, updating policies and procedures, and conducting employee training. Companies should also review the terms of their existing and future contracts with service providers to ensure that the contracts clearly provide for the implementation of sufficient data security measures. This approach is crucial in preventing future incidents and for maintaining the trust and confidence of stakeholders, customers, and partners.
Conclusion
In conclusion, as technology continues to evolve, the battle against cybercrimes is likely be a long and challenging one. It is always wise to have a proper plan in place so that if a crisis hits - you are in the best position possible to emerge unscathed!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.