The cyber insurance market– more knowledge is key
The cyber insurance market and the need for clarity
While the cyber insurance (and reinsurance) market continues to develop, both insurers and insureds face uncertainty in writing and buying cyber risks products. There is an acute need for clarity and knowledge in the market which, unfortunately, may only come at a slow pace and with some degree of trial and error. However, most businesses and insurers will know the risks of cyber attacks are undeniably present and the costs to businesses can potentially be extremely high.
The most recent high profile cyber attack comes as the Sony Pictures hack saw several of its unreleased movies being leaked along with sensitive company information and emails (some of which contain deeply embarrassing exchanges between Sony executives and have since been widely
reported in the press). Sony is no stranger to the threat of cyber security – it has previously faced its PlayStation Network being hacked leading to the personal details of millions of accounts being stolen.
Cyber attacks can be a commonplace issue for a range of organisations. The Bank of England said earlier in the year that it faces on average around eight incidents per week and, more recently, it was asked by Andrew Tyrie, the chairman of the Treasury committee, to provide assurance that the Bank of England was capable of repelling cyber attackers.
The Department for Business Innovation & Skills reported in April 2014 that 81% of large organisations and 60% of small businesses suffered a security breach in 2013 with increases in severity and average costs for the worst breaches rising significantly. The average costs for small businesses were between £65,000 and £115,000 while for large business the range was between £600,000 and £1.15 million.
Despite these risks, many SMEs (and even some larger organisations) will only work towards improving their cyber security and mitigating their risk of cyber breaches if there is a pressing commercial imperative to do so. When looking at a cyber insurance product, businesses will ask “is it worth it?”, “how much will it cost?”, and “by when do I need to do it?”. These questions are impossible to answer by simply looking at a policy. Purchasing cyber insurance should form a part of a comprehensive cyber security plan including an assessment of the risks the business faces and understanding and implementing safeguards to mitigate those risks. Although putting in place a cyber security plan may, in itself, be difficult, it is a sensible first step to understanding whether purchasing cyber insurance is worth it and what limits of cover are acceptable.
For insurers, the difficulty lies in fully understanding the risks and costs which they are underwriting. While several insurers including the likes of ACE, Barbican, Brit, Aegis and Novae are already establishing themselves in the market with dedicated cyber policies, the market itself is still developing and the types of risks (and, consequently, the types of policies) are varied. Insurers face difficulties in accurately evaluating cyber risk and, with a lack of loss data available, accurately deciding the appropriate limits for the risks.
5 | The cyber insurance market: more knowledge is key Cyber Risks
Selling cyber products to businesses
Demand for cyber products has not yet seen a boom and price and lack of knowledge can be significant barriers to businesses appreciating the need for cyber coverage.
Businesses may find it difficult to understand why they should pay relatively high premiums for cyber cover when they may be paying significantly less premium for more established policies such as D&O or property damage coverage up to the same limits.
Given the current nature of the market, there can be stark differences between various policies and the coverage they offer. Compounded with the fact that different businesses will face different risks, it is not possible for a business to make a sensible comparison between policies based on price alone.
It is extremely important for the business to review the policy wording carefully and consider whether the policy is effective for its business model.
However, as knowledge in the market increases (particularly with the current trend of insurers hiring security experts while developing their products) and the market develops, businesses are likely to be more motivated to purchase cyber coverage.
A key selling point of policies may well not be the limits of coverage but, in fact, the additional benefits provided to businesses and how effectively an insurer deals with a cyber breach and the network of breach response experts and services it provides to its insured under the policy. A breach may require the involvement of various experts including lawyers, IT forensics experts, credit and data monitor firms, specialist PR firms, communications/notifications firms. While many businesses will be familiar with working with their regular advisors such as lawyers, accountants or brokers, they may find the number of experts (and the coordination) needed to respond to a cyber breach, and the different work streams involved, to be daunting.
There is certainly more importance being given to cyber risks and an upward trend in both the number of insurers offering cyber products and the number of businesses seeking coverage. What remains to be seen is just how rapidly the trend grows and whether, in the near future, cyber coverage becomes as standard to business needs as D&O, property or public liability policies.
The Department for Business Innovation & Skills reported in April 2014 that 81% of large organisations and 60% of small businesses suffered a security breach in 2013.
Data breaches – what can we expect from the EU?
In January 2012, the European Commission (EC) unveiled its draft data protection Regulation (Regulation) (referred to elsewhere as the General Data Protection Regulation), intended to update and harmonise EU data protection law. Three years later, the draft is still being hotly debated. The European Parliament has approved its own proposals and the European Council has published provisional proposals on parts of the Regulation. The Regulation has been described as the most lobbied legislation in EU history and few issues have caused more consternation than the proposals around dealing with data security breaches.
Under the current draft of the Regulation there would be mandatory reporting of data security breaches. Organisations would have to inform the relevant data protection authority (DPA) of a breach “without undue delay and, where feasible, not later than 24 hours of becoming aware of it”. In addition, they would then have to inform data subjects “without undue delay” unless the relevant data protection authority was satisfied that the data was sufficiently protected from being accessed by an unauthorised user, for example, by encryption. Data processors would be subject to the still more onerous requirement to inform data controllers “immediately” of any data security breach.
What are the issues?
Most obviously, in the Commission’s draft, there are no exceptions to the requirement to notify data security breaches to DPAs. This means that every security breach, no matter how insignificant, would, in theory, have to be reported. Not only would this place
a huge administrative burden on organisations, the EC does not appear to have thought about how DPAs would process, much less act on this information. In addition, in order to comply with the time frames, data controllers are likely to have to provide incomplete notifications to be supplemented at a later date, thereby adding to the administrative burden for all concerned.
There is nothing in the Commission’s draft which stipulates how DPAs are supposed to deal with notifications of security breaches. Despite the tight time constraints on data controllers and processors, there are no time limits within which the DPA needs to respond. This is particularly important given the stipulation in Article 32 of the Regulation that it is unnecessary to inform a data subject of a breach if the controller can demonstrate to the DPA
that the data was encrypted or otherwise protected from access. Another issue with the lack of guidance to DPAs on time of response is the possibility of getting comeback on a data security breach from the DPA long after it has been dealt with by the data controller.
With an increased administrative burden comes increased costs. Again, these would be felt both by businesses and by DPAs (or in other words, Member States). In its impact assessment of the Regulation, the UK’s Ministry of Justice highlighted the data security breach notification requirements as adding a potential
£104m to the compliance bill.
Where are things headed?
It does seem highly likely that there will be some watering down of the data security breach reporting requirements in the next draft of the Regulation. With considerable pushback from the DPAs as well as from business and Member State governments, the EC has said it will look again at the proposals. Other regulation applicable to data breaches is less draconian as are alternative proposals coming from the European Parliament and the Council.
The Regulation on notification of personal data breaches by public electronic communications service providers
Some clues as to the direction the EC is likely to take may be found in the new Regulation on notification of personal data breaches by public electronic communications service providers (Regulation 611/2013). While the breach reporting requirements mirror that of the Regulation in many ways, there are some subtle but significant differences.
7 | Data breaches – what can we expect from the EU? Cyber Risks
Regulation 611/2013, has been introduced under technical implementing measures set out in the Privacy and Electronic Communications Directive and applies to providers of publicly available electronic communications services in the EU.
Companies subject to Regulation 611/2013 are required to notify their national competent authority within 24 hours of any personal data breach. They are required to give certain information about the breach including the date and time of the incident, the number of people affected and the sensitivity of the relevant data. If not
all the information is available, they can supply it within a further three day period after the initial 24 hour period. If they still cannot give all the required information after that, they need to supply a “reasoned justification” for their failure to do so.
Relevant service providers also have to inform individuals of data breaches “without undue delay” where the breach “is likely to adversely affect the personal data or privacy” of those individuals. In assessing whether a breach needs to be notified to data subjects, factors like the sensitivity of the data, the circumstances of the breach and the recipient of the data will be relevant. Companies are exempt from requirements to notify data subjects if they can show they were using certain protective technological measures. The EC will be publishing a definitive list of these.
The Council’s current proposals are significantly different to those of the Commission and the Parliament and it’s still unclear whose will win.
On the plus side, the assessment about whether to notify data subjects of a breach is left to the data controller rather than to the regulatory authority. In addition, a definitive list of technological measures which would exempt a data controller from the requirement to notify data subjects is sensible. However, while Regulation 611/2013 does show some relaxation on timing of breach notifications to regulators, compared with the current provisions in the Regulation, the time frames remain tight and there is still no exemption for breaches of a minor nature.
The European Parliament’s draft
After protracted negotiations, the European Parliament adopted its proposed changes to the Commission’s draft Regulation towards the end of 2013, and the breach reporting provisions had indeed been somewhat watered down. The revised Article 31 states that a data controller has to report a breach to the supervisory authority “without undue delay” and the requirement to do so within 24 hours has been removed. The requirement
on the processor to inform the controller of a breach has been changed from “immediately” to “without undue delay”. Information regarding the breach can also “if necessary, be provided [to the regulator] in phases”. It is interesting that the corresponding Recital to Article 31, Recital 67, has been amended so that the duty to report a breach to the supervisory authority within 24 hours has been changed to 72 hours. The Recitals serve to provide guidance on interpretation of the Articles of legislation. The 72 hour time limit is, confusingly, not set out in the Article itself so it is unclear as to how much force it has. The supervisory authority is required to keep a public register of the types of breaches notified.
In terms of Article 32 which deals with reporting data breaches to data subjects, there were no significant changes proposed, other than a slight extension of the circumstances under which data breaches need to be reported to include any adverse impact on the “rights or legitimate interests of the data subject”.
The European Council’s proposals
The Council has published its proposed compromise text for certain parts of the Regulation. It is important to note that they will not be agreed until there is agreement on the entire text.
The proposals for changes to Articles 31 and 32 go further than those made by the Parliament (perhaps unsurprisingly). Like the European Parliament, the Council suggests that data breaches be reported to the supervisory authority “without undue delay and, where feasible, not later than 72 hours of becoming aware of it”. The Council does, however, also include a qualification on the nature of the breaches which warrant reporting, saying that only a data breach “likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, [‘breach of…pseudonymity], damage to the
reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage” need be reported. In addition, no notification to a supervisory authority is required unless notification of the data subject is also required.
Article 32 contains the same qualification on the type of data breaches which need to be reported to data subjects as that in Article 31. In addition, the data subject does not need to be notified of the breach if the data controller has implemented appropriate technological and organisational protection measures in relation to the data. The Council adds that this includes encryption and then introduces the concept that there need be no notification where the controller has taken subsequent measures to ensure that
the high risk to data subjects is no longer likely to materialise. The requirement for the DPA to say whether or not these measures are sufficient to exempt the breach from notification has been deleted. The Council also allows for notification of data subjects by a public communication if it would involve disproportionate effort to notify individually.
The Council’s proposals do address the issue of what to do in case of minor or insignificant breaches but still fail to place any obligations on DPAs in terms of the timing of their response. However, this is a more sensible risk-based approach which places the onus on data controllers to make their own decisions as to when notification is required.
We still need to wait for the next official draft of the Regulation to see whether the lobbying has paid off and the data security
breach reporting requirements become more realistic. This will only happen after the Council draft is officially approved and following trialogues between the Commission, the Parliament and the Council to rationalise the different proposals. The Council’s current proposals are significantly different to those of the Commission and the Parliament. It’s the Council which holds the real power in the game but it’s unclear who will win on this issue.
}The Council’s proposals do address the issue of what to do in case of minor or
insignificant breaches but still fail to place any obligations on DPAs in terms of the timing of their response.
The costs of responding to data breaches –
what does the future hold?
Data breach environment in the UK
In the UK, a data breach occurs when an organisation which holds personal data breaches the data protection principles in the Data Protection Act 1998. The seventh principle requires that appropriate measures are taken against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. A data breach arising from a business’ failure to put effective security measures in place over personal data processed by it or on its behalf, can result in the Information Commissioner (IC) taking formal action.
Data breaches frequently arise now because of the activities of organised criminals and hackers. Such data breaches are a part of the cyber security landscape, which itself is becoming a part of everyday life. Rarely is the topic of cyber security far from the news. Cybercrime was reported to cost the UK approximately £27 billion a year in 2013.
Given the proliferation of data breaches and the trend which suggests these will continue, this article considers the current costs of data breaches and what the future costs may be, particularly in light of the expected implementation of the General Data Protection Regulation in 2015.
Data breach environment in the US
In recent years, the US has generally had the most expensive data breaches, both in terms of the average cost per record and the average total data breach cost, with Germany close behind. In 2012, the US had an average cost per record of
$188 and an average total data breach cost of $5.4 million. In the same study a year later, the average cost was 15% more than it had been in 2012. The US cost per record was $201 and the total data breach cost was $5.85 million.
Not unrelated, the US also spent the most on notification (US organisations on average spent $509,237 in 2013-2014). This means IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts and other efforts to make sure victims are alerted to the fact that their personal information has been compromised. In 2012, it was found that the quick notification undertaken in the US was adding as much as $37 per record to data breach costs.
In the US, at least 46 States, as well as the District of Columbia, Puerto Rico and the Virgin Islands have enacted data breach notification laws. The state laws require companies or individuals that maintain unique personally identifiable information of individuals to notify those individuals if such information is lost, stolen or otherwise compromised. Beyond the legal requirement, many companies believe it is good business practice to notify affected individuals in the event of a breach. However, such activities do increase the costs associated with a data security breach.
The Target “mega data” breach
The well-known Target mega data breach demonstrates this. In 2013, payment card data from approximately 40 million credit and debit card accounts and 70 million individuals’ information (name, address, emails) was stolen from the US chain of supermarkets, Target’s point of sale system. It is
Cyber Risks The costs of responding to data breaches: what does the future hold? | 10
believed this occurred as a result of malware that hackers introduced via the air conditioning contractor that was connected to Target’s systems. According to the Target Annual Report for 2013, this breach has cost $61 million to date. Expenses include costs to investigate the data breach, provide credit-monitoring services to customers,
increase staffing in call centres, and procure legal and other professional services. Target intends to recover $44 million from insurance of the $61 million paid, but it also predicts significant future costs. More than 80 actions have been filed in courts and Target is maintaining $100 million of network- security insurance coverage, above a $10 million deductible.
Current UK data breach response costs
The UK still ranks as having a fairly high spend on notification at $275,858 on average per organisation, in comparison
to other countries around the world. India, for example, spends $19,841 on average per organisation on data breach notification, but regulations are non-existent. Nonetheless, the UK’s costs are less than half of those in the US. In part this can be attributed to the fact that there is currently no general legal data protection obligation to notify either the IC or affected data subjects of a data security incident, even if there is a general assumption that serious breaches will be reported to the IC’s Office.
In addition, fines remain low. The IC’s Office imposed fines between 2013 and 2014 of £1.97 million (a decrease on the
£2.6 million of fines it had imposed in the preceding year). This was despite the IC’s Office investigating a record number of 1,755 data protection cases, representing an increase
of 385 on the previous year. There have also been very few claims in the UK. This is likely because of the difficulty in establishing the damage that has been suffered and
because of the costs involved with litigation, making it simply uneconomical to bring a claim. Neither have group litigation orders been used to bring claims, no doubt for similar reasons. Therefore, despite the potential costs for an organisation in responding to a data breach, in the UK these have remained relatively low.
The impact of the General Data Protection Regulation
However, with the expected introduction of the General Data Protection Regulation in 2015, this looks set to change.
First introduced in 2012, the Regulation has attracted significant interest, not least for headline-grabbing proposals such as the ‘right to be forgotten’. Also attracting attention is the fact that in its latest iteration, the Regulation allows the supervisory authority (the public authority in each Member State responsible for ensuring the application of the Regulation) to impose a fine of whichever is the higher of
up to €100 million or 5% of the annual worldwide turnover in the case of an enterprise. The fine was originally set at a maximum of €1 million or 2% of an enterprise’s annual worldwide turnover.
Cybercrime was reported to cost the UK approximately £27 billion a year in 2013.
Furthermore, the Regulation introduces a compulsory notification obligation, as explained in detail in the previous article (Data breaches - what can we expect from the EU). Data controllers will be required to notify a supervisory authority without undue delay on becoming aware of a personal data breach. When the personal data breach is likely to affect adversely the protection of the personal data or privacy, or the rights or legitimate interests of the data subject, then after notification to the supervisory authority, the controller will need to notify the data subject without undue delay. Not only will it cost organisations which control
and process data to put in place the necessary IT systems for such notification, but (as can already be seen from the US’ example), it is also likely that the outcome of such notification will be increased costs because of call centre staff, breach investigations, expert advice and potentially claims – which may, of course, be covered by insurers if an appropriate policy is in place.
These new notification requirements added to the substantially increased regulatory fines will, no doubt, encourage litigation where organisations in the data chain (i.e. processors, controllers and recipients) seek to blame each other for breaches and consequently pass on liability for such costs. In short, the future for data security breaches in the UK looks expensive.
Hacking as a Service – what does it mean for businesses?
The HaaS model
“Hacking as a Service”, or HaaS, is a term which is gaining traction and describes a “new model” for hacking and data theft. Without necessarily having the technical expertise themselves, an individual intent on hacking a rival, stealing data or simply damaging a business now has the option to pay someone else to do the work.
Botnet capacity for DDoS (Distributed Denial of Service) attacks can easily be bought on hacking forums, as can malware such as Blackshades, which was the subject of over 100 arrests of its users by the FBI. On the more extreme side, hackers advertise information about zero day vulnerabilities for sale, although this information is much more valuable (and so expensive). Alternatively, for those looking for more specialist capability, hackers advertise their abilities to write malware to target a specific organisation. All of this means that the model for cyber criminality is changing. This article considers what effect this has on cyber security risks.
The HaaS model means that the number of potential cyber criminals in possession of sophisticated tools may increase very substantially. If all you need is a credit card to buy a Blackshades licence for US$40, then not only is the
number of potential cyber criminals increasing (because the necessary tools are easily accessible) but the ability of those cyber criminals to cause damage also increases substantially, because they can cheaply acquire powerful tools that they could perhaps not code themselves.
Within that group, however, will be a significant proportion of potential cyber criminals who are not sophisticated enough to make full use of the available tools, or who are not prepared to put the time and effort into social engineering to maximise their capabilities. This group probably does not substantially change the threat landscape for a well-equipped information security team within an organisation of well-trained staff
who are aware of the potential threats. It is however likely to change the threat landscape for SMEs who may not have the security sophistication or staff training programmes of larger organisations with a greater IT spend.
Opportunities for sophisticated cyber crime
For more sophisticated cyber criminals, HaaS gives rise to a number of opportunities. Paying someone else to provide a service frees up time and capabilities elsewhere. It also allows scale and multi-faceted attacks which might not otherwise be achievable, for example buying botnet capacity for large- scale DDoS attacks and then seeking to take advantage
of vulnerabilities which may be triggered as a result. Tools available through HaaS make it easier for criminals to “recruit” their own botnets for use at a later date. “Doxing” is paying others to provide an information gathering service, which can then be used to enhance social engineering attacks. Some of this information is likely to have been gathered using malware to access non-publicly available information, for example attacking a home computer to gather personal information which is then used for an attack via a work account.
It is at this more sophisticated end of the spectrum that HaaS gives rise to greater risks for both small and large organisations which hold valuable data assets. The
emergence of HaaS means that a broader range of potential cyber criminals has access not only to more sophisticated
Cyber Risks Hacking as a Service | 12
tools, but also a broader range of tools. The ever increasing amount of information online and in the cloud, and the difficulties which can sometimes arise with organisations identifying intrusions quickly, mean that HaaS will increase the risk profile of many organisations.
One key area in which many organisations can improve their position (both in terms of protecting data and minimising legal risks) is identifying intrusions more quickly. While recent market information indicates that there has been some improvement in this area, the picture is still not promising. The average time taken to identify an advanced persistent threat (APT) is still around 220 days (down from 270 days a few years ago), and in the vast majority of attacks the data needed to discover an intrusion was available, but it was
not identified. As attacks become more sophisticated and regulators are, in Europe at least, looking to take a tougher line on security breaches, there is likely to be more scrutiny as to why breaches were not identified, either at all or sooner. The draft General Data Protection Regulation, when it is eventually passed, will increase maximum fines to the greater of €100 million or 5% of global turnover. This means that organisations will need to be much more sophisticated in identifying intrusions quickly, and aware of the risks arising out of the emergence of HaaS.
} The ever increasing amount of information online and in the cloud means
that HaaS will increase the risk profile of many organisations.
Big data and data security
What is “big data”?
Big data has for some time been one of the buzzwords used when describing how technology will change the world.
However, it is only more recently that big data analytics has entered the corporate mainstream, with more and more companies now confirming that they are using, or are
looking to use, big data analytics in their business. However, the concept of big data raises a number of issues for data protection and data security, and while there has been no major breach of big data datasets to date, it is only a matter of time before this happens.
There is no single generally accepted definition of big data, but one of the most commonly accepted descriptions is “high volume, high velocity and high variety information assets
that demand cost-effective, innovative forms of information processing for enhanced insight and decision-making.”
Increases in processing power and declining storage costs mean that we are creating more data than ever before, with IBM estimating in September 2013 that 90% of the world’s data was created in the last 2 years, and Google processing 24 petabytes of data every single day. Businesses and governments are looking at ways to harness this volume of data, and the ability to process unstructured data, to find correlations and patterns in data that they would otherwise have been unable to detect.
“N=all” and handling of “big data”
However, the very nature of big data does mean that careful consideration needs to be given to how data is handled. Big data often means combining datasets to create as large a dataset as possible, and holding and analysing as much data as possible. The term “N=all” is often used, i.e. the dataset to use is “all available data”. This goes against traditional data protection principles, which hold data minimisation as one of the key requirements. It also means that, even where data
is theoretically anonymised (and the impact of big data on anonymisation is the source of another article in itself), big datasets will be a target for cybercriminals simply on the basis that the aggregation of data in one place makes it a target.
On the subject of anonymisation, the jury is still out but it is clear from studies already published that big data does
afford some ability to re-identify individuals from theoretically anonymised datasets. At the moment, it looks as though this is in fact an issue arising from poor anonymisation techniques.
In addition to the issues raised by “N=all”, one of the other issues with big data processing arises because often it will not be clear what data will be used for in the future, so big data seeks to retain datasets for as long as possible. Big data analytics is about finding unexpected correlations and taking advantage of them; while to some extent one can predict what datasets may be used in future, this ability is limited in scope with big data. This means that some of the protection afforded by the requirements to (a) only use data for the purpose for which it was collected and to (b) hold it for the minimum time to achieve that purpose may be lost with big data processing.
Cyber Risks Big data and data security | 14
Transfer to third parties
Allied to this is the risk that organisations take when transferring datasets to third parties for analysis. As organisations do not necessarily hold, or have access to, all of the data that may be necessary for an analytics exercise, they may transfer their own data to a third party to combine with its data for analytics. Alternatively, an organisation may transfer data internally to a business analyst team. In each case, the organisation needs to ensure that it is not moving data outside its secure perimeters and therefore putting data at risk. This is particularly the case where businesses are
moving to cloud storage solutions and some big data analytics tools are specifically designed to pull data from multiple sources in a network for analysis. Organisations need to be particularly alert to the risk that they render their carefully designed security protections irrelevant by inadvertently moving data outside those perimeters.
Big data as a detection tool
It is not, however, all bad news. Big data is also potentially a powerful tool in detecting security breaches. A Verizon
paper estimated that information relating to around 80% of breaches was available in logs, but was not identified and acted upon. A major recent example of this was the Target security breach in the US, where tools detected the intrusion some time before it was identified but the information security team did not spot this. Big data analytics can assist organisations in sorting through false positives and analysing the mass of data produced by security tools.
In addition, larger scale projects such as SOLTRA and the FCAS, where financial institutions, critical infrastructure and regulatory bodies are sharing data and information to try to better protect against and respond to cyber threats. The issue remains that while big data analytics should provide security teams with a tool to identify intrusions
more effectively, the human element is still the weakest link. While big data presents new risks, and new tools to combat them, organisations will still need to ensure that they have adequate systems in place to ensure compliance with legal and regulatory requirements, and that they continually review their systems to keep up to date with latest developments.
} Increases in processing power and declining storage costs mean that we are
creating more data than ever before, with IBM estimating in September 2013 that 90% of the world’s data was created in the last 2 years.
Reputation management following a data breach
Data security breaches almost always give rise to a risk of reputational damage to the company responsible for
controlling and processing the data. From the moment the breach occurs, the media may start making inquiries and publish, Tweet or broadcast allegations about the breach. Also, there are likely to be worried or angry customers whose data has or may have been disclosed without their consent. They may publicise the matter in social media or inform journalists, as well as the regulator.
Whether the breach results from a third party supplier accidently leaving a laptop on a train or from sophisticated hackers breaking through firewalls and encryption systems, it can lead to distrust of the company. In turn, this can result in lost sales and potentially a dip in share price.
Prior to a breach
Within a very short time after the breach, a journalist may be telephoning demanding to know what has happened and who is to blame. It is very important to be prepared for this. A company should plan in advance who will be part of its data security breach team because it will need to react very quickly to try to preserve its hard-earned reputation. This should preferably include one or more experts in reputation management (preferably legal and PR), as well as regulatory and litigation experts.
On the breach occurring
The following are recommended:
- A journalist could contact anyone in your organisation.
Make sure that all employees (or suppliers) channel any inquiries to the relevant team dealing with the breach;
- Journalists may suggest that your company is to blame and/or ask what happened. In the beginning, you may not actually know what has happened and many rumours and accusations may be circulating. Try to demonstrate that the company is taking the matter very seriously and is fully investigating it. Be cautious about jumping to conclusions and blaming others before the facts are known;
- It may be that you were not actually to blame and a third party supplier caused the loss/breach. However, if you are the data controller for any affected personal data, you may be deemed to be responsible for the security of the data, even if you did not cause the breach. Furthermore, defaming a third party may expose you and the company to risk of a defamation action. Two of the main defences to a defamation claim are (i) truth and (ii) honest opinion based on true facts, therefore, be sure of the facts before trying to blame others;
Data security breaches can cause reputational and business damage. Defamatory allegations about the company may quickly be published by the media and in social media
Cyber Risks Reputation management following a data breach | 16
- chance to correct any false assertions or at least to get the company’s side of the story across. In England, it is very difficult to obtain a pre-publication interim injunction to stop someone saying something defamatory. Therefore, it is better to communicate the key message to the journalist. A ‘no comment’ response may be interpreted
as an admission of guilt. It is possible to obtain an interim injunction in advance of publication to stop disclosure
of confidential or private information. However, such claims can be defeated if the public interest in disclosure outweighs the public interest in keeping the information confidential or private. In the case of a data breach, it is usually likely to be in the public interest for the public to be made aware of the breach; and
- Be aware that anything you say to customers and/or journalists may be used by the regulator, the company’s insurers and/or in litigation against the company. The core team should control all communications in relation to the alleged breach. The company should try to prevent members of staff firing off personal Tweets and other communications, however good their intention.
Material already published by the media
If the media has already published false and defamatory allegations about the company, it may be possible to obtain a correction or apology by deploying defamation law and the relevant media regulations. It is generally easier for a
media organisation to amend or add a statement to an online piece than to publish a correction in the hard copy edition. Moreover, online content is generally more important to correct or balance, since it is searchable and can be available forever.
Companies involved in a data breach are likely to find it difficult to rely on English defamation law for two reasons. First, a statement is not defamatory of a company trading for profit unless its publication has caused or is likely to cause the company “serious financial loss”. This will usually be difficult to prove in court unless the company can show that the publication (as opposed to the data breach) caused it to lose business. The media can also defend a defamation claim even if the allegations are false or cannot be proved. This
applies to stories on a matter of public interest (which a major data breach usually will be) where the publisher reasonably believes that publishing the statement is in the public interest.
Allegations published in social media
In addition to journalists, customers and other members of the public or even competitors may comment on the
breach in social media e.g. on Twitter and Facebook and/or in the comments sections of news sites or the company’s website. People can be very quick to blame a company which has been involved in a loss or breach of data. It is, therefore, important for the company to be able to promptly communicate key messages via social media. The main
things are to react fast and show that the company is doing everything it can to find out the facts and limit any damage and to correct any misinformation.
Data Protection Analyst, London
+44 (0)20 7300 4994
Axel v. d. Bussche
+49 (0)40 3 68 03 129
+33 (0) 1 72 74 18 35
+97 (0) 1 4 309 1008
+44 (0)20 7300 4600
+42 (0) 22 48 19 216
+36 (0)1 32 70 40 714
Senior Associate, London
+44 (0)20 7300 4792
+49 (0)89 2 10 38 451
+44 (0)20 7300 4279
Professional Support Lawyer, London
+44 (0)207 300 4233
Senior Counsel, London
+44 (0)20 7300 4287
+49 (0)211 83 87 106
+44 (0)207 300 4978
+65 6381 6890
Senior Associate, Munich
+49 (0)89 2 10 38 249
+43 (0)1 71 65 51 60
+44 (0)20 7300 4782
Senior Counsel, Shanghai
+86 (0) 21 62 47 72 50
Senior Associate, Hamburg
+49 (0)40 3 68 03 185
Senior Associate, Munich
+49 (0)89 2 10 38 224
+44 (0)207 300 4690
+48 (0) 22 58 49 740
+65 6381 6818
Cyber Risks Contents | 18
Our Cyber Liability and Data Breach Response Team
Our Cyber Liability and Data Breach Response Team is drawn from different parts of the firm, and comprises a large international team with over 20 partners, data protection analysts (including a former member of the Information Commissioner’s Office) and insurance experts.
We understand the interests of businesses and their insurers in minimising the risk of a data breach, effectively investigating a breach and managing the response process, and understanding whether insurance cover applies in relation to the breach.
On multi-jurisdictional incidents, our international team advises in the context of multiple regulators, not only in terms of data protection regulators in different countries, but also financial services and other sector regulators. We have also worked with incident specialists across multiple jurisdictions.
We can help clients by:
- Advising on insurance coverage issues surrounding cyber risks and data security;
- Co-ordinating and liaising with expert incident specialists in response to data breach incidents;
- Dealing with disputes and negotiations with Data Protection Authorities and regulators;
- Seeking urgent interim relief from courts;
- Conducting data protection audits and impact assessment;
- Advising on reputation and brand management;
- Advising on data retention policies; and
- Dealing with data breach notifications to the relevant authorities.
Please contact Susie Wakefield, or any of the international team, if you have any queries.
Global Data Hub
Annual (Re)insurance Review
Following on from our sixth annual International Insurance Day in Munich, Germany, in November 2014, at which cyber liability was a featured topic we will be hosting the future conferences listed below:
Annual Data Privacy Conference 2015 - Emerging