When it comes to cyber security, focussing solely on the GDPR can be dangerous. Liability for cyber security issues can arise in numerous ways. Securing personal data is not enough. Even in the absence of a personal data breach, companies may face disciplinary action or fines from other regulators (and under different regulatory regimes).
Regardless of the applicable regime, the priority for all businesses is to ensure that they have in place robust procedures for dealing with cyber incidents (with adequate staff training to ensure that those procedures are implemented fully, even during high-pressure situations).
What should businesses look at?
Businesses must consider carefully the totality of their regulatory requirements. You may well have notification obligations over and above those set out in the GDPR (and with different thresholds for notification). This will be especially important for those operating in regulated industries or which provide critical national infrastructure (and are caught within the scope of the NIS Regulations).
Given the different regimes to which any one company might be subject, any systems, procedures and policies for cyber security must take into account the company’s full suite of regulatory obligations (including any and all guidance issued by relevant regulators).
What does this mean for businesses?
One essential requirement for any business, no matter how they are regulated, will be to ensure that their incident response procedures are robust, up to date, and fit for purpose. These procedures should be stress-tested, with regular training provided for all individuals that might need to take key decisions during an incident.
Many regulators place great emphasis on the speed of response to any given incident. The starting point for any incident response procedure should therefore be to ensure the swift and appropriate escalation of major incidents. Businesses should pay particular attention to the following issues when reviewing and revising their incident response procedures:
- Contact details: The incident response plan should list out the individuals / teams that must be contacted in the event of an incident, with correct phone numbers for contacts.
- Out of hours support: What provision is made for out of hours support? Are any identified email addresses and contact phone numbers monitored on weekends?
- Collective responsibility: Do all staff understand how to escalate / notify a cyber incident appropriately? Even teams not responsible for managing cyber incidents should understand how to notify and escalate internally any reported incidents.
- External expertise: Does the policy require staff to consider whether and at what stage external expertise may be required?
- Training: Have relevant staff been given training in implementing the incident response procedures?