A legal perspective on how to think about responding if your IT Systems have been targeted by the WannaCry Ransomware, or other malware.
What do you do as a CTO if you wake up in the morning to a string of emails from your Chief Exec, a buzzing twitter feed and a breakfast TV special report letting you know that over 150,000 of your customers have had their data stolen, or accessed, in an overnight cyber-attack? Apart from going on extended leave?
That was the situation hundreds, if not thousands, of business owners found themselves in last Friday as more than 200,000 computers were affected by the WannaCry or WCry malware that had a particularly serious impact on several NHS Trusts in England and Wales.
Whilst successful attacks of that scale are rare, two-thirds of big businesses in the UK have been hit by a cyber-attack in the past year, according to a recent government survey, with only an estimated 10% of businesses currently having a cyber security incident plan to rely on.
As well as taking the key practical and technical steps to ensure appropriate protections are in place to secure and protect data, it’s worth spending some time thinking, from a legal perspective, about how to respond effectively if you have evidence to believe that there has been a data security breach in your organisation.
Data Security Breach Management
Your organisation should have a data breach response plan in place to enable them to respond to a data breach swiftly and effectively. Here are some of the steps that you will want to take if you become aware of a breach:
1. Assemble the Security Breach Team
All organisations should have a security breach management team, with primaries and deputies, drawn from across the organisation, including from HR, IT, legal and compliance. The team should discuss their roles, and everyone needs to be clear about who is taking responsibility for what.
2. Determine what Caused the Breach, and Stop It
When a breach occurs, it is critical to investigate it to determine the nature and cause of the breach, and what damage could result from it. Following that, immediate action is required to stop the breach from continuing or recurring and to mitigate any potential damage.
If the ICO (the body responsible for regulating data privacy matters in the UK) becomes involved in the situation, it will want to know what has been done to stop or mitigate the breach and what you will do to ensure future compliance with the law.
3. Determine the ID of the Data Controller
The next step is to determine the identity of what is known as the “data controller” for the purposes of the breach. The data controller is the party that determines the purpose for, and manner in, which “personal data” (that’s data relating to living people) is processed – which may not always be obvious.
In some cases, your organisation may process personal data for purposes determined by another organisation, e.g. where you provide hosting services, which makes you a “data processor” rather than a “data controller”.
There may be more than one data controller, particularly where shared services are involved. This is also common in relation to pensions data, where both the employer and the pension trustees are “data controllers” for the same personal data. Where there is the case, both parties may be liable for breach.
4. Consider who to Notify
These could include:
- The ICO
There is currently no express requirement to notify the ICO in the event of a breach, unless you’re a telecoms or internet service provider (in which case special legislation applies).
However, the ICO believes serious breaches should be brought to its attention, including situations where a large volume of personal data is involved, or there is a real risk of individuals suffering harm, particularly where sensitive personal data (or financial data) has been compromised.
This is an area of law which is constantly in flux, with the EU’s General Data Protection Regulation (GDPR), which will be enforced from the 25 May 2018 (see our article on the key changes here), introducing an entirely new regime, so it is important to keep this under review.
- The Data Subjects
Again, there is presently no express requirement to notify a “data subject” (i.e. the person to whom the data relates) whose data may have been compromised. Obviously not every incident will automatically warrant notification and this may well cause disproportionate enquiries and work.
That said, ICO guidance states that organisations should currently consider notification where it could help the individual, by allowing them to act to mitigate risks, e.g. by changing a password.
If notifying data subjects, the notification should at least include a description of how and when the breach occurred, what data was involved and what you have already done to respond to the risks posed by the breach.
- The Data Controller:
If you are a “data processor”, you are required to notify the relevant data controller, to whom you may be responsible for any breach.
- Other Data Controllers:
If there are other data controllers of the personal data in question, you may want to notify them (although this is not a legal obligation).
Notification of potential claims in a timely manner may be an insurance policy requirement.
5. Find Out Who’s to Blame
Finally, as lawyers are always keen to do, you’ll want to find out who’s to blame for the breach, and decide what steps to take next.
If the breach was caused by another data controller or data processor, you’ll want to consider whether there are any written contract terms in place, and what right you might have to bring a claim under (and/or terminate) that contract.
If you don’t currently have written contract terms, this is something you will want to think about putting in place, as it is mandatory under the DPA and would be particularly important where the processing or sharing of data is particularly significant to your organisation.
With the scope for the ICO to award much more significant penalties under the GDPR this will become increasingly important going forward.
If there was an internal breach, it may be appropriate to review the actions of employees responsible (if any) and decide whether disciplinary action is appropriate, considering the relevant staff policies to determine whether they have been breached (e.g. IT and security, data protection policies) as well as your staff contracts. You’ll also want to think about what, and what level of, training staff were given (if any), and what training might be appropriate in future.
In summary, whilst there’s obviously no point crying over lost data, if you act proactively to put in place the proper training, protections and protocols, and have a clear handle on what to do if something does go wrong, it will help massively in mitigating the impact of the loss.
If you or your business requires further advice or assistance navigating any of the above, please contact:
Associate Director – Contracts and Technology Department
Tel: +44 (0) 28 9055 3306
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.