As part of Reed Smith's webinar series on crisis management, on Wednesday 6 November 2019, partners Tom Webley, Philip Thomas and John M. McIntyre delivered a webinar to clients on data breaches, cyber attacks, and potential responses to such incidents. This article focuses on the key themes arising out of the webinar and serves as a summary of the key takeaways. In case you missed this webinar, the recording is available at reedsmith.com.
What is the difference between a data breach and cyber-attack?
- A data breach is a security incident where personal data is accessed without authorization. In general, data breaches are also personal data breaches and may be accidental or deliberate.
- A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss or alteration of, or unauthorized disclosure of or access to, personal data that is transmitted, stored or otherwise processed. Examples include lost devices and documents, misdelivered messages, unencrypted email transmissions containing personal data and disposal of documents in a non-compliant manner (e.g., without shredding first).
- A cyber attack is broader than a data breach, is deliberate and can be more disrupting to business. Examples include malware attacks, which can affect all business units, such as the NotPetya attack, which is estimated to have cost an international shipping company $200 million – $300 million.
What does a breach look like in practice?
- The global average size of a data breach is 25,575 records, at a cost to the company affected of $3.92 million. The average time to identify and contain a breach is approximately nine months.1 The country with the highest average cost was the United States at $8.19 million.
- Governments are not immune. In the United States, 443 breaches have affected governments since 2014, with a total of 168,962,628 records compromised. There is also a rising number of "ransomware attacks."
- Breaches carry the risk of severe reputational damage and can knock customer confidence. There is an average immediate stock price drop of 5 percent, often followed by executive departures. Notifications to government agencies, consumers and, in some cases, the media may be required, and litigation and regulatory action can follow.
How can you mitigate the risks?
- Manage relationships with vendors who have access to data. It is established under EU law that you must conduct vendor due diligence and have data processing agreements for third party vendors. A robust contract will provide additional protection and should include, inter alia, strong conditions, warranties and audit rights, and address subcontracting and insurance issues. What is the vendor's track record with previous breaches and attacks? Do they have a data protection policy and a chief information officer?
- Create internal policies and procedures. What sensitive data do you collect? What policies and procedures do you have to protect data? Limit employee and vendor access to and use of data, and train all employees who handle data. Record-keeping is essential under the General Data Protection Regulation, so document any breaches that occur and what steps the organization has taken to mitigate the risk. Perform regular monitoring to discover and address breaches as quickly as possible.
- Create a data map. What data do you have and where is it stored? Who has access to this data and what are they allowed to do with it? Can they share it? Mapping serves a dual purpose: (i) as your record retention policy and (ii) as a useful resource when responding to a data breach, helping you quickly identify what data was compromised.
- Have a data breach response plan. A plan's purpose is threefold: (i) build preventative safeguards; (ii) help identify breaches; and (iii) facilitate efficient responsive action in a crisis environment. Train employees and practice the plan's implementation with drills. Plans and procedures are also critical in defending against post-breach litigation and investigations. Companies that implemented plans reduced the costs of breaches on average by more than $1.2 million.
- Purchase a cyber insurance policy. Insurance helps transfer risk away from the organization, and the market for cyber-specific insurance is developing rapidly. Cyber insurance covers risks which are often not covered by more general policies, and policies are not "one size fits all." The various possibilities should be discussed with a broker.
- Consider protections in your contracts with third parties. Limit exposure to cyber incidents through terms in your contracts with third parties. This should be in addition to taking out cyber insurance. Beware that reliance on contractual terms may be challenged and the contractual protection will be of limited value if the other party has no assets to enforce against. Seeking to rely on terms limiting liability may also raise reputational and regulatory issues.
How should you respond to an event?
- Have a breach response plan in place before the event to minimize delays and errors. The plan should include a triage mechanism: (i) an employee must identify the breach; (ii) the identifier should notify the relevant person in your organization; and (iii) that person should respond. Make sure checks are regular to ensure breaches do not go undetected. Implementing your plan and following the critical first steps is key to managing the long-term impact of the breach or attack.
- Employee protocols should be available internally.
- Curtail the breach by changing passwords, halting network traffic, and shutting down computers to avoid spread of the breach.
- Have an established remediation process to address how to restore data from backups.
- Conduct an investigation into how the event occurred, how it was dealt with, and how your response could be improved. It is important to make sure that, where possible, documents created during the investigation are protected by privilege, and that this privilege is maintained.
- Talk with PR teams to minimize reputational and other damage. It is important to communicate a clear and consistent message, but also which will not unintentionally increase liability or exposure to claims or regulatory sanction. Avoid making a statement which could be construed as an admission of fault. Monitor the situation closely and identify escalation events. Social media may give an indication of how your response is being received, and you should adjust your message accordingly.
- Record all breaches in a log, as required by EU regulation. Keeping records will help regulators in their investigations and enable you to work effectively with affected individuals. There are templates for your record-keeping available from regulators.
- A breach may trigger notification obligations. Not all breaches are notifiable. The threshold for notifying a supervisory authority in the EU is that the breach must pose a threat to the rights and freedoms of the affected individuals. The threshold for notifications to affected individuals is higher. In the United States there is no uniform national standard except for breaches involving health information. All 50 U.S. states have adopted laws requiring notification to individuals, but these vary between states.
Your questions answered
'As part of its reporting obligations, a processor has to report to the controller without undue delay from when it becomes aware of a breach. Does this allow for the processor to conduct its own internal investigation to establish whether or not a breach has actually occurred or does the processor have to report to the controller if it believes a breach may have occurred?'
"Under the GDPR Article 33(2), the processor has a duty to notify the controller, without undue delay, of a "personal data breach"(as that term is defined in Article 4(12) of the GDPR). In our view, this duty extends to actual and not suspected personal data breaches. This presupposes that the processor has some time to determine whether the incident in question qualifies as a personal data breach that is required to be notified to the controller. While the above mentioned notification obligation does not apply to suspected personal data breaches, some controllers nonetheless seek to impose data breach notification obligations on their processors that go above and beyond the minimum GDPR requirements. For example, some controllers may request that their processors notify them of any actual or suspected personal data breaches without undue delay or even within a defined time period (e.g. within 24 – 48 hours of the processor becoming aware of that an actual personal data breach has occurred)."
1. Excluding "mega breaches," which involve more than 1 million records. 2019 IBM Security – Cost of a Data Breach Report
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.