1 00118601 Emerging themes 2019 A4 AW v31 combined - Page 44

1.Mobilise quickly
Identify in advance the people who should be
involved in responding to a breach. That may include
a range of internal stakeholders – the Data
Protection Officer (if there is one) and representatives
from IT Security, Legal, Compliance, Corporate
Communications and HR. However if the group is too
large, decision-making can be inhibited and the risks
of information leaking increase. The team should
have decision-making authority as a number of
critical decisions may need to be made quickly. In
addition, identify a panel of pre-vetted specialist
forensic investigators and consider instructing them
at an early stage. They will preserve the evidential
trail while getting to the bottom of key questions,
for example: What is the root cause of the incident
and how can it be contained? Where is any malware
contained and how can it be removed? How long has
any bad actor had access to the system and what
activity did they undertake?
2.Notify regulators
UK-based firms now have to report personal data
breaches to the Information Commissioner’s Office
(ICO) within 72 hours where there is a risk to the rights
and freedoms of natural persons. In reality, firms will
often still be grappling with what has happened in
that period and may need to file a preliminary
notification until the facts are clearer. Firms authorised
by the FCA/PRA will also have parallel regulatory
notification obligations. The September 2014
Memorandum of Understanding between the FCA
and ICO makes clear that the regulators share
information. Typically, you will want to be on the
front foot in simultaneously notifying the ICO and
the financial regulators, rather than risk one regulator
hearing about the breach from another. Note, the
FCA has publicly criticised what it calls “material
under-reporting” of cyber incidents by firms in the
regulated sector; by contrast, the ICO feels firms are
Partner, London
over-reporting. Do not also lose sight of any
overseas regulatory reporting obligations – the
consequences of a data breach are often not
confined to a single jurisdiction.
3.Notify customers
The EU General Data Protection Regulation (GDPR)
GDPR requires firms to inform individuals if the breach
is “likely to result in a high risk to the rights and
freedoms of natural persons”. There is no prescribed
methodology for assessing the likelihood and severity
of the risk, but clients will typically be considering the
type of data and the numbers affected. So, for
example, account details or passwords will have a
higher risk than mere names or genders. Firms should
also consider any mitigating/aggravating factors,
such as whether any lost data was encrypted. The
test may be difficult to apply in the early stages, and
firms will need to assess when it is prudent to warn
customers. Whilst you will want to provide some
reassurance to customers in the notifications, be
careful about committing to any definitive facts which
are still being investigated. The notification should
include the information required under the GDPR,
including the measures taken to address the breach
and mitigate its effect. You may also wish to offer
credit monitoring services where appropriate and
include steps the customers should themselves take
to mitigate risk, such as changing passwords.
Partner, London


Powered by

Full screen Click to read
Paperturn flip book
Download as PDF
Shopping cart
Full screen
Exit full screen