What do you do as a CTO if you wake up in the morning to a string of emails from your Chief Exec, a buzzing twitter feed and a breakfast TV special report letting you know that over 150,000 of your customers have had their data stolen in an overnight cyber-attack? Apart from going on extended leave?
It seems a pretty remote prospect, but that has been the position the management teams in several big businesses have found themselves over the last two years.
And whilst successful attacks of that scale are rare, two-thirds of big businesses in the UK have been hit by a cyber-attack in the past year, according to a recent government survey.
As well as taking the key steps to ensure appropriate protections are in place to secure and protect data, it’s worth spending some time thinking, from a legal perspective, about how to respond effectively if you have evidence to believe that there has been a data security breach in your organisation.
Data Security Breach Management
Organisations should have a data breach response plan in place to enable them to respond to a data breach swiftly and effectively. Here are a couple of steps that you will want to take if you become aware of a breach:
1) Assemble the Security Breach Team
All organisations should have a security breach management team, with primaries and deputies, drawn from across the organisation, including HR, IT, legal and compliance. The team should discuss their roles, and everyone needs to be clear about who is taking responsibility for what.
2) Determine what Caused the Breach, and Stop It
When a breach occurs, it is key to investigate it to determine the nature and cause of the breach, and what damage could result from it. Following that, you obviously need to take action immediately to stop the breach from continuing or recurring and to mitigate any potential damage.
If the ICO (the body responsible for regulating data privacy matters in the UK) becomes involved in the situation, it will want to know what has been done to stop or mitigate the breach and what you will do to ensure future compliance with the law.
3) Determine the ID of the Data Controller
The next step is to determine the identity of what is known as the “data controller” for the purposes of the breach. The data controller is the party that determines the purpose for, and manner in, which “personal data” (that’s data relating to living people) is processed – which may not always be obvious.
In some cases your organisation may process personal data for purposes determined by another organisation, e.g. where you provide hosting services, which makes you a “data processor” rather than a “data controller”.
There may be more than one data controller, particularly where shared services are involved. This is also common in relation to pensions data, where both the employer and the pension trustees are “data controllers” for the same personal data. Where there is the case, both parties may be liable for breach.
4) Consider who to Notify
These could include:
There is currently no express requirement to notify the ICO in the event of a breach, unless you’re a telecoms or internet service provider (in which case special legislation applies).
However, the ICO believes serious breaches should be brought to its attention, including situations where a large volume of personal data is involved, or there is a real risk of individuals suffering harm, particularly where sensitive personal data (or financial data) has been compromised.
Additionally, this is an area of law which is constantly in flux, and new legislation was implemented last month, which will come into force in 2 years’ time, introducing an entirely new regime, so it is important to keep this under review.
The Data Subjects
Again, there is presently no express requirement to notify a “data subject” (i.e. the person to whom the data relates) whose data may have been compromised. Obviously not every incident will automatically warrant notification and this may well cause disproportionate enquiries and work.
That said, ICO guidance states that organisations should currently consider notification where it could help the individual, by allowing them to act to mitigate risks, e.g. by changing a password.
If notifying data subjects, the notification should at least include a description of how and when the breach occurred, what data was involved and what the organisation has done to respond to the risks posed by the breach.
Other Data Controllers: If there are other data controllers of the personal data in question, you may want to notify them (although this is not a legal obligation under the DPA).
Insurers: Notification of potential claims in a timely manner may be an insurance policy requirement.
The Data Controller: Data processors are required to notify the relevant data controller, to whom they may be responsible for any breach.
Find out Who’s to Blame
Finally, as lawyers are always keen on doing, you’ll want to find out who’s to blame for the breach, and decide what steps to take next.
If the breach was caused by another data controller or data processor you’ll want to consider whether there are any written contract terms in place, and what right you might have to bring a claim under that contract. If you don’t currently have written contract terms, this is something you will want to think about putting in place, as it is mandatory under the DPA, and would be particularly important where the processing or sharing of data involved is particularly significant to your organisation.
If it was an internal breach, it may be appropriate to review the actions of employees responsible (if any) and decide whether disciplinary action is appropriate, considering the relevant staff policies to determine whether they have been breached (e.g. IT and security, data protection policies) as well as your staff contracts. You’ll also want to think about whether staff were given any training, and if not what training might be appropriate in future.
If you or your business requires further advice or assistance navigating any of the above, please contact:
Associate Director – Contracts and Technology Department
Tel: +44 (0) 28 9055 3306
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.