Last year cyber security breaches compromised the personal data of millions of individuals around the globe. According to the EU Agency for Cyber Security (ENISA), such breaches seriously affected individuals’ private lives, making them subject to humiliation, discrimination, financial loss, physical or psychological damage or even threat to life.

It goes without saying that the negative effects do not spare the organisation where the cyber security breach has occurred. Such breaches come with a number of adverse consequences, including delays in production and service delivery, damage claims and damage to reputation. Therefore, it is of the utmost importance that your organisation has all the necessary mechanisms in place not only to prevent cyber security breaches in the first place, but also to counteract them on time and in an appropriate manner when they have happened – because in case of doubt, criminal energy might crack every lock.

What is a Cyber Security breach?

A cyber security breach occurs when an intruder gains unauthorized access to an organisation’s protected systems and data. Attackers can initiate different types of security breaches, some of the most important being initiated through malware or phishing. According to a report by ENISA, last year the cyber threat landscape changed significantly, the success of which is (sadly) reflected in a new record in security breaches reported in 2018.

Security breaches are not the same as data breaches, even though they are sometimes used interchangeably. An incident is classified as a data breach if the cyber criminal gains access to personal or confidential information. A security breach will happen first, whereas a data breach may or may not follow.

What to do when a Cyber Security breach occurs?

When a cyber security incident is detected, several steps need to be taken in order to minimize any negative impact to your organisation and to be compliant with legal requirements.

Internal responsibilities and fact finding

Within the organisation where the breach has occurred, a responsible person has to be identified, who will be coordinating the incident management internally. It is crucial to involve the data protection officer (if appointed) at this point, too. All measures taken should be properly documented.

The incident has to be analysed thoroughly. Ideally, an IT forensic is called upon to help with the investigation of the attack. Information on time and duration as well as of the circumstances and the discovery of the incident should be collected and documented. Security loopholes which made the attack possible in the first place need to be checked: If the causes of the incident are not understood, the risk of a repeated incident may increase.

It is important to identify the affected hardware and software as well as, where applicable, to describe the specific kind of access to the systems that was gained by the attacker. A documentation of the affected persons (if possible, a quantifiable number) and the affected data categories is necessary.

In order to understand the risks associated with the incident, it is crucial to find out whether personal data is affected as in such cases adverse effects for individuals might be expected. For instance, if the organisation has been subject to a successful phishing attack, it is conceivable that cyber criminals collected passwords and have access to account information.

It should also be evaluated whether no/low/medium/high risks for affected persons are expected as a result of the incident (as an example, check whether data subjects could receive unsolicited advertising or they could be subject to identity theft).

The final evaluation of the associated risks need to be communicated to the responsible person who is coordinating the incident management internally.

Identification of remedial actions

To remedy the adverse effects of a cyber security breach, mitigating measures have to be taken.

These vary depending on the type of attack an organisation is facing. For example, in case of the use of ransomware the possibility to decrypt the encrypted data or restoring backups could be checked. It may also be advisable to cut off the system’s connection to the outside world in order to contain the breach and ensure it is not ongoing.

Employees should be notified of cyber security incidents and advised on the technical and organisational measures that are being taken. In case of compromised communication channels within the organisation, it is necessary to instruct employees on alternative methods of communication.

Notification of authorities

It is crucial to assess whether authorities need to be informed about the cyber security breach. In the EU, that is , the case in particular if violations of the protection of personal data have occurred, although – depending on the industry of the attacked organisation – notification obligations may exist even if personal data is not involved.

The notification of personal data breaches shall be made without undue delay and, where feasible, not later than 72 hours after having become aware of the security breach.

Such notification has to include at least the following information: a description of the data breach (including affected data categories, number of the persons affected, number of the data sets affected, the kind of breach); the name of the data protection officer or another responsible person; a description of possible consequences of the breach for persons affected as well as a description of all remedial actions taken.

Also, the company should consider filing a criminal complaint with the police.

Notification of affected persons

In the EU, a notification of the persons affected is necessary where personal data has been breached and such breach is likely to result in a high risk to the rights and freedoms of individuals. The notification has to be made without undue delay, although the time line is not as strict as with respect to the authority notification.

Again, the name of the data protection officer or another responsible person, a description of possible consequences of the breach for the persons affected as well as a description of all remedial actions taken needs to be communicated.

In some cases, a “voluntary” notification might be issued. For example, it may be worth approaching customers and informing them even without a legal obligation when the breach has an impact on the customer, e.g. because there will be delays in the delivery of products or services.

Public relations

In order to minimize any adverse effects of a security breach concerning media attention, it is recommended to prepare a press release for possible press inquiries. A notice to be published on the organisation’s website might also be prepared. Contact persons for inquiries shall be determined and communicated internally. Employees shall be informed on how to deal with enquiries (especially about the assigned communication channels).

Further obligations

Many other requirements will exist, depending on the scope and impact of the breach as well as on the jurisdictions and industries involved.

For example, in cross border situations additional legal requirements may apply. Steps in order to mitigate potential damage claims will need to be taken. If a cyber security or any other insurance potentially covering the incident exists, a timely notification of the incident should be made to the insurance company.

Possible follow-up

Through learning from the breach, a process for dealing with data breaches in future should be established, in particular including a determination of responsibilities and communication channels. It may make sense to establish a data breach task force.

On a technical level, the implementation of additional security measures may need to be implemented. It is also advisable to regularly train employees, both with respect to avoiding breaches in the first place and appropriately dealing with them as they may happen.

Organisations should, of course, take all the necessary steps to prevent cyber security breaches. The modern age of digitalisation, however allows for a range of possible points of access into an organisation’s secured system for external – and even internal – attackers.

It is crucial for companies to be prepared and get #b(r)eachready.