Government estimates published last month indicate that 81% of large businesses and 60% of small businesses have suffered a cyber security breach in the last year. Cyber breaches can take a number of forms; threats from rogue employees, malware introduced through BYOD or inadvertent data loss can be as serious as those from organised criminals, terrorists or state-sponsored groups.
So what should you do when you discover that there has been a breach?
Your best chance for positively affecting the outcome is in the first 24 hours following a breach. During this period, your priorities should be establishing a core team to:
- Shore up your defences through software / hardware fixes and isolating the point of attack (mobile, email, web) and protecting your most valuable assets (trade secrets and other high-value IP);
- Minimise the damage through technical means (whether that means getting your systems up and running again or taking them down temporarily to prevent further harm) and practical steps (if passwords have been taken, alerting those affected); and
- Initiate your crisis management protocol, including gathering information to understand what has happened, preserving evidence and controlling the messaging to stakeholders – this can be crucial to protecting your business from the fallout.
Establish your core team
Cyber breaches can be complex and highly damaging. Your incident response team should include senior management, senior IT personnel and senior members of your HR and PR teams.
The internal investigation should be led by in-house or external lawyers who are experienced in managing investigations and able to advise you on your potential exposure and routes for recovery. Most importantly the involvement of lawyers can also help you to maintain privilege over the investigation materials, giving you more control going forward.
Your team may also need to include other outside experts:
cyber security firms can help you to understand the nature of the breach,
how to recover your systems and how to protect against further attack (if you
do not have this expertise in your in-house IT team);
IT firms can help you to uncover evidence relating to the breach, in a way
that preserves crucial metadata;
accountants can help you to understand the likely financial implications of
the breach itself and the knock-on effects of the breach.
Consider your reporting obligations
Once you have a handle on the nature of the cyber breach, you will need to consider whether you have any reporting obligations to:
- Regulators: Depending on the nature and seriousness of the breach, and the sector that your business operates in, you may be under an obligation to report to a regulator. The Information Commissioner’s Office (ICO) has made it clear that data controllers should report serious data breaches to it. Certain sectors are subject to additional requirements. For example, providers of public electronic communications (including internet service providers and telecommunications operators) have specific reporting obligations for personal data breaches, under the Privacy and Electronic Communications (EC Directive) Regulations 2003. The proposed new EU Cyber Security Directive and Data Protection Regulations will bring in additional reporting obligations, particularly for those who operate ‘critical infrastructure’.
- Customers and contractors: Contracts for the provision of data storage or IT infrastructure may contain specific clauses requiring one party to notify the other of any cyber breaches. If not, there may be other legal or commercial reasons to inform your customers of a cyber breach, particularly if data that you hold for them may have been compromised – you do not want the first they hear of a breach to be through the press.
- The market: Listed companies will need to consider carefully their obligations under the Listing Rules and the Disclosure and Transparency Rules, which may require a breach to be disclosed, as soon as possible, if it would be considered “inside information” (which will depend, in part, on the seriousness and likely consequences of the breach).
- Insurers: You should check whether the breach may be covered by your insurance policy and whether you therefore need to notify your insurer. The extent of coverage for cyber risks is not always well understood. Surveys by the Department for Business, Innovation and Skills indicate that 52% of CEOs believe they have insurance cover for cyber risks. However, surveys by Zurich and Marsh suggest that the percentage who actually do have cover (whether as a standalone policy or as part of other policies) is closer to 10%.
- Law enforcement authorities: While civil action against the perpetrators of cyber attacks can be problematic (as we discuss below), law enforcement authorities have a broader range of powers available to pursue suspects. In certain circumstances, proceeds deriving from the criminal act can also be passed to the victims. However, criminal investigations and prosecutions tend to be lengthy and once a matter is in the hands of authorities, conduct and publicity of those criminal proceedings will be out of your control.
There may be other third parties who for commercial reasons you should consider notifying voluntarily at the appropriate time. You may need to consider contractors or suppliers who may be affected. If part of your system is outsourced or cloud-based, might others be at risk?
Understand your regulatory and civil risk
As well as damage arising directly from the breach, a cyber breach can also result in regulatory or civil actions being taken against you.
The ICO and other regulators have wide-ranging powers, particularly where there has been a serious data breach. Those powers include amongst others:
- Information notices requiring organisations to provide information about their operations – unless that information is legally privileged or self-incriminating;
- Undertakings requiring organisations to take certain remedial actions; and
- Monetary penalty notices of up to £500,000.
Where a breach has affected your customers, whether by data loss, unavailability of services or otherwise, you could also face civil claims. Your contracts with customers may contain express clauses covering data security. Customers might also look to rely on general contractual obligations to use reasonable care and skill, or seek to imply similar terms or bring an action in negligence. If the breach has prevented you from providing services, this could also be the basis for a claim (unless the cyber breach could be said to be covered by a force majeure clause, as may be the case for a terrorist attack).
As well as customers, you should also consider whether any third parties might be able to bring claims. Where individuals’ personal data has been lost, this could potentially give rise to claims by those individuals for compensation if it can be argued that they have suffered “damage” as a result of a breach of the Data Protection Act 1998 (DPA). The recent case of Judith Vidal-Hall and others v Google Inc  EWCA Civ 311, confirmed that “damage” for the purposes of private claims bought under the DPA includes where the individual has suffered “distress” but has not suffered any financial loss. Following Vidall Hall, individuals affected by a data breach may be more likely to bring claims against those holding their data.
The adequacy of your compliance program and your response to an incident may be central to demonstrating that you have fulfilled your regulatory, contractual and common law duties.
Take action to recover the damage
If the breach has been as a result of a deliberate attack, it may be possible to take action against the perpetrator. However, recovering damages can be extremely challenging for a number of reasons:
- It can be very difficult to identify the perpetrator – or at least to pin this to an individual or legal entity;
- If the perpetrator is overseas, there may be difficult issues of jurisdiction of applicable law; and
- If you are able to obtain judgement in your favour, this can be challenging to enforce and will only be worthwhile if the perpetrator has assets to enforce against.
Having said this, if the perpetrator is a rogue employee (particularly a UK-based employee), you are likely to have more options. If the breach relates to the theft of trade secrets or other confidential data, you may be able to get injunctive relief to obtain that data and/or prevent it from being disclosed or used. You will also need to think about instigating employee disciplinary procedures if appropriate and coordinating that procedure with your internal investigation.
Looking beyond the perpetrator, if the breach has been caused or contributed to by a weakness in a third-party hosted system, you may want to consider whether you may have any claims against your IT suppliers or contractors. As with claims by customers, such claims could turn on express or implied terms, or common law (negligence) duties. The actions that you take in response to a breach will be important in demonstrating that you have taken reasonable steps to mitigate your losses.
Start preparing now
When you discover a cyber breach, the actions that you take in the immediate aftermath can have dramatic and far-reaching effects. Getting the response right from the start can effectively minimise the damage, but missing key issues early on can give rise to collateral problems down the line. By planning in advance, you stand the best chance of being able to act swiftly, decisively and effectively, to minimise the risk from the breach itself and any follow-on claims or regulatory action.
Your planning should include:
- Developing a crisis management protocol, including a core incident-response team;
- Putting in place an effective compliance program,
including appropriate training and policies; and
- Engaging with outside advisers in advance, to
supplement your own in-house resources and ensure coordination is as efficient
as possible when the time comes.
Is your organisation the guardian of important data and does it value its reputation?
Join us at one of Osborne Clarke’s cyber security and data protection events this May.
Register for the London event here.
Register for the Bristol event here.