How to respond to a cyber security breach

These days, it’s not about what to do if A cybersecurity attack happens, but when. Abuses are common and come in many forms, and they are concerning for affected businesses.

Organizations can learn a lot from the experiences of others who have been attacked.

A real team effort is required, as there are many actions required to monitor and manage the attack as quickly as possible. Employees need training and the company should have policies in place that dictate the correct procedure. Organizations that do not have a clear chain of command can find themselves in a state of confusion.

The response plan is critical. This should identify who is responsible for coordinating the response and which third parties should be involved. Running fake attacks internally will also ensure that stakeholders have some familiarity with their responsibilities.

An effective response includes learning about the organization’s own systems and performing regular penetration tests. It is not uncommon to encounter companies whose outdated technology, or failure to install updates, has made them vulnerable.

Regulators will want to know how employees reacted: how quickly was the attack detected, was it appropriately escalated, were the individuals handling the attack aware of potential reporting obligations, and most importantly, did the personnel involved receive any training? Failure on these points increases the chances of enforcement action by regulators.

The main stakeholders are the internal IT department, any internal or external legal team, the data protection officer, and any cybersecurity experts. The benefit of counseling attorneys early on is that they can coordinate the disparate parts of the response, possibly helping to claim legal privilege over certain elements of the response.

The response team can then think about what information each separate group needs to collect to determine exactly what happened: where the attack came from, what was compromised, and is the attack over or continuing?

A common core component of a bad response is not knowing which third parties to report the attack to. Insurers may need to be notified immediately, otherwise any relevant policy is subject to cancellation. The insurance company may also ask to bring in technical experts to mitigate the threat.

Attacks of particular severity involving personal data must be reported to the Information Commissioner’s Office under UK law, and possibly to affected individuals as well.

Regulators in other jurisdictions may also need to be notified of a breach. The notice schedule is often tight – eg, 72 hours after a breach is known. Therefore, this is not the time for companies to establish, for the first time, data protection laws in the countries to which they apply.

Reputation is key, too. So contacting PR consultants may be another part of the jigsaw to consider.

Ransomware demands are a growing feature of attacks. ICO and National Cyber ​​Security Center advice Organizations do not pay – even if the insurance restore personal data.

We were recently instructed to work for a multinational organization, after it received a notification from a threatening entity that personal data had been stolen and placed on the dark web, and a ransom was demanded.

The organization hired a cybersecurity expert to contain the threat, and he advised us on reporting obligations. The focus was on ensuring that the report was as complete as possible to the regulator, also demonstrating that individuals reacted quickly when the breach was discovered and that they had been trained to protect personal information.

Although there was no sensitive data, the organization notified the affected individuals and took out identity fraud insurance on their behalf. In this case, the regulator was satisfied that it acted responsibly.

In another example, we were approached by a company that received advice about their fault-tolerant system but ignored it. We have been advised that the Company and its directors are at risk of claims and that failure to inform the ICO can be extremely harmful.

What these and other examples have shown is that where processes are created, systems modernized and invested in, and expert advice adhered to, organizations will be better equipped to ride the inevitable wave of cyberattacks and mitigate their impact.

Joanne Vengadisan is a partner and data protection expert at Penningtons Manches Cooper