It is often said that any IT system is only as secure as the people who use it. In other words, all of us – the users – are the weakest link. If Price Waterhouse Cooper's 2016 survey – 'A matter of when, not if, a breach will occur' – is to be believed, then forward planning and staff training are vital. Although organisations are realising that cyber security is a broader issue than just the protection of personal data, the Cyber Security Breaches Survey 2019 states that only,
"16% of businesses and 11% of charities have formal cyber security incident management processes in place."
What then are the advantages of forward planning and what, if anything, can we do to help you?
Construct a data breach 'playbook'
Having a plan in place means that you can identify which team members you will need so that you have someone with sufficient authority in place to take decisions as well as people with sufficient expertise to deal with the IT side. It also means that staff are aware of what their notification requirements are, who needs to be notified and when.
When and why do you have to report a breach?
The introduction of the European Union's General Data Protection Regulation (GDPR) in 2018, will not have escaped anyone's attention. Under the GDPR, there is a mandatory reporting requirement of certain types of personal data breaches to the national supervising authority – in the UK this is the Information Commissioner's Office (ICO). There are also circumstances where the affected individuals must be notified.
But the GDPR is not the only law that imposes reporting requirements: organisations in sectors such as energy, health and finance have obligations under the Cyber Security Directive; regulated financial services providers have notification requirements to the UK Financial Conduct Authority; and telecoms providers under the Communications Act 2003.
We can assist you with understanding your reporting obligations in advance so that you do not fall foul of these following a breach.
If a breach does occur, it can be expensive. As a guide, Lloyd's estimate that the average cost of a cyber-security breach is in the region of £600k-£1.15m or £65k-115k for SMEs. The current legal position on liability for a breach is that the company is vicariously liable for the actions of their employee. So it is perhaps surprising to note that the Cyber Security Breaches Survey 2019 reported that only 11% of all UK businesses and 6% of charities have cyber insurance in place. But it is possible to obtain cyber-insurance that will cover business interruption, payment of compensation to customers, costs associated with regulatory investigations and legal fees.
Yet, if you do not understand and comply with your notification provisions under the insurance policy, your insurer might void the policy. This is something we can assist you with in advance so you know what your policy requires you to do and when.
Should you involve the police?
This is a common question but the answer is not straightforward and and requires an analysis of your objectives and legal obligations. Sometimes it will be more effective and quicker for an organisation to take urgent action through the civil courts without involving the police.
Should you pay a ransom?
As an organisation, you will have to reach your own answer to this question. Some firms pay, others do not: a leading forensic science firm, which is used by the UK police to help investigate major crimes, reportedly paid a ransom to criminals after being targeted by a cyber attack; in contrast, Norsk Hydro decided not to pay and reportedly suffered a £45 million pound loss as a result.
We can help you understand the consequences of paying a ransom. Legislation is in place to combat money-laundering and prevent the financing of terrorist and criminal organisations. You would not want to pay a ransom only to realise that you had inadvertently committed an offence yourselves by doing so.
Finally, in the event that a breach does occur and you obtain legal advice, we can assist you with steps to take to attempt to mitigate the damage to yourselves and others. The content of those communications (the legal advice) will be protected by legal privilege. This can be a particularly effective shield against regulators and potential victims of the breach, should they take court action against you.
There are complex obligations that come into play before and after a data breach. We can help you to prepare in advance and advise on what steps to take after a breach occurs. If you would like to discuss any aspect of this further, please contact us.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.