Embed Size (px)
Citation preview
Legal ToolkitRecoveryfrom Cyber Attack
October 2016www.linkedin.com/company/cyber-rescue-alliance
First presented in Oct 2016. For other presentations at this eventwww.linkedin.com/company/cyber-rescue-alliance
Cyber Attacks
Dr Sam De SilvaPartner – Head of the Commercial IT & Outsourcing Group, Nabarro LLPInternational Advisory Board – Cyber Rescue Alliance
13 October 2016
A Legal Toolkit to Manage Risk
• Action on becoming aware of breach
• Notification
• Contractual analysis – breach caused by a counter-party to a contract
• Further investigations and lessons learned
• Key action points
Outline
• Mobilise the Incident Response Team (IRT) and implement Response Plan
• Specialists across the business:– HR, IT, security (IT and physical), legal, compliance, PR– internal and external (particularly, IT, PR and legal)– appropriate seniority
• Trained in advance (and rehearsed various scenarios)
• Clear about who is taking ultimate responsibility
• Need to understand and be aware of sector specific legislation / guidance
• Work with external lawyers to manage the creation and distribution of documents during the response to the incident to maintain both confidentiality and privilege in documents containing legal advice
Immediately after Becoming Awareof an Attack
• Implement the steps required to stop or contain breach
• Many attacks are on-going and repeated - may involve the temporary suspension of affected systems or websites
• If the ICO is notified or becomes involved in a data security breach:
– will want to know what has been done to stop or mitigate the breach
– what the business will do to ensure future compliance
Initial Damage Limitation
• Verification
• What has happened to the data
• The type of data affected
• The degree of sensitivity of the data
• Any protections in place, such as encryption
• How many individuals involved
• Who are the individuals
• The potential detriment to individuals
Breach Impact and Risk Assessment
• Seek legal advice– Payment of ransom may be a criminal offence
• Validation
• Technical solutions
Responding to Threats and Extortion
• ICO / Regulators– no regulatory obligation to notify ICO [current law]– notification for "serious breaches“
a large volume of personal data is involved and there is a real risk of individuals suffering some harm
breach concerns information that if released could cause a significant risk of individuals suffering substantial detriment - sensitive personal data
– legal requirements to notify, under sector-specific legislation– contractual requirements to notify
• Insurers • Bank / credit card companies• Police• Data subjects
Consider who Needs to be Notified
• ICO cautions against the dangers of "over notifying" data subjects
• Need to consider:– how notification could help the individual– providing assistance in dealing with practical issues, e.g. identity fraud checking services– most appropriate way to notify, taking into account the security of the medium as well as the urgency of
the situation
• Notification could include– a description of how and when the breach occurred– what data was involved– details of what has already done to respond to the risks posed by the breach– contact details for further information or to ask questions, such as a helpline number or web address
• Seek legal advice prior to any notification
Notifying Data Subjects
• Do you have a claim for breach of a specific data protection or security obligation?
• Consider a claim or any liability for breach of confidence or a failure to take reasonable skill and care
• Does the breach give rise to a right to claim damages?
• Is the value of the claim limited by the contractual limit of liability?
• Are the costs incurred as a result of the breach recoverable?
• Can any liability you may have following the sanctions taken by the ICO be transferred to the data processor?
Check the Contract (1)Breach caused by a counter-party to a contract
• Does the breach give rise to a right to terminate the contract?
• Consider whether the breach is sufficiently serious to give rise to the right to terminate the contract at common law for repudiatory breach
• Does the data security breach trigger any other aspects of the contract, such as audit rights or the implementation of business continuity and disaster recovery plans?
• Are there are any specific contractual administration matters that need to be observed to preserve rights, such as compliance with notice provisions or prescribed alternative dispute resolution procedures?
Check the Contract (2)Breach caused by a counter-party to a contract
• Investigation to include a review of whether appropriate security policies and procedures were in place – were they were followed?
• Where one or more data processors may have caused the breach, consider whether adequate contractual obligations were in place to comply with the DPA – are they in breach of contract?
• Where security is found not to be appropriate for the purpose of the DPA, consider what action needs to be taken to raise data protection and security compliance standards to comply with the DPA
• If the ICO is notified or becomes involved in a data security breach - likely to request this information
Further Investigations and Lessons Learned
• Verify the breach
• Determine the extent of the breach
• Contain the breach
• Consider what data is affected, if any, and what risks arise as a result
• Consider whether there is a compulsory requirement to inform anyone (regulators, data subjects, suppliers, and so on) of the breach, or if there are good reasons to do so even if there is not
• Consider any communications in the light of regulatory requirements, public relations considerations and litigation risk
• Review and modify systems and processes in the light of the experience to limit the risk of reoccurrence and to make sure the response is as effective as possible if it does
Key Action Points
Bespoke Commercial Response Plan
Commercial Coach for Cyber Attack Response
Cyber Rescue Alliance
Practice your Response in Executive Simulations
Example Alliance Partners
Security Scorecard to auto review Suppliers
Cost effective onlineStaff Training
SEC-1 to conduct penetration testing
Join Cyber RescueCyber Rescue is a Membership organisation that helps CEOs lead recovery from cyber attack.
Cyber Rescue operates in 9 countries across Europe, helping leaders protect reputation and revenues when hackers break through.
Members benefit from Executive Role Plays, bespoke Commercial Response Plans, and expert Coaching during a catastrophic breach. Cyber Rescue's advisors have led response to thousands of cyber attacks and hundreds of breaches. The Cyber Rescue team have expertise the many functional areas that are impacted by a successful cyber attack, for example Legal, PR, HR, Operations, Finance and Customer Service, as well as IT Forensics and Remediation.
+44 (0)20 7859 4320www.linkedin.com/company/cyber-rescue-alliance
