Over recent years, cyber-attacks and data breaches have become increasingly common. The introduction of the General Data Protection Regulation (GDPR) has seen a surge in breaches being notified to regulators and many further breaches being reported in the media. Helen Davenport provides insight into the key considerations of international data breach strategy.
The prospect for an organisation of having to engage with the UK's regulator, the Information Commissioner's Office (ICO), is greater than ever. With the increasing globalisation of businesses and an ever growing reliance on data, international data breaches are becoming increasingly common.
International data breaches pose additional issues to domestic breaches; the potential application of laws in a number of jurisdictions creates additional challenges for dealing with a breach if it is international in nature. Consequently, at our recent IT Masterclass we gathered data privacy specialists from our offices across the globe to discuss strategies to mitigate the potential impact of data breaches and lessons learned from previous data breaches.
What should be businesses think about when it comes to an international data breach strategy?
Any breach strategy should start with security measures to avoid a breach in the first place; prevention is better than cure. A recent example of an international data breach concerned Equifax Limited. Equifax was fined £500,000 by the ICO, the maximum possible fine at the time as the events took place in 2017 and the investigation had to be carried out under the Data Protection Act 1998, rather than the current GDPR.
The data breach took place in the US, however the ICO was concerned as the breach affected up to 15 million UK citizens. An example of Equifax's failings, citied by the ICO, was poor retention practices, in particular that the compromised data included data that should have been deleted in the US as the UK Company had taken over certain processing activities. In other examples of breaches, the consequences of the breach have been exacerbated by the compromised data and the encryption keys being stored on the same system, potentially making it easier for cyber criminals to obtain both more easily.
Organisations should also consider auditing or requiring the self-certification of their data processors and should not underestimate the role played by human error and/or incompetence in data breaches and provide appropriate training for employees.
What else can businesses do to mitigate the risk of an international data breach?
A key element of an organisation's international breach strategy should be incident response planning. Gowling WLG have seen and assisted with data breach incident response plans taking into account the notification and reporting obligations from a number of jurisdictions, as well as any relevant sector specific reporting obligations. We have done this using schedules and charts to help organise and present the information.
An international data breach response plan should be reviewed for the major jurisdictions of operation for the organisation concerned. If a breach occurs an organisation will be under considerable pressure to manage the situation and respond in a timely manner, for example due to the requirement to notify breaches within 72 hours under the GDPR unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
A well prepared breach plan will save time and if a breach does occur it enables organisations to focus on meeting any notification requirements. A breach plan will also help with prioritisation and ensuring a consistent breach response.
Incident response plans need to be treated as living documents, in particular they need to be reviewed for legal developments. This is particularly relevant in the US given the de-centralised nature of the breach notification regimes and the fact that there are 50 different regimes that are constantly changing.
Given the attention that data privacy issues are receiving globally and other jurisdictions having introduced new legislation in this area, such as the GDPR, jurisdictions that currently have little in the way of data protection legislation are also expected to introduce their own new laws in the not too distant future.
If you are using a data breach incident chart of the type commonly appended to an international data breach response plan then this needs to be periodically reviewed by legal counsel for any updates.
When treating an instant response plan as a living document, it is important to have practice runs with the international data breach team identified in the plan. These may help shine a spotlight on practical issues not foreseen when the plan was crafted. For example, if there are any local language issues how will these be addressed?
Finally, it is also important to monitor for threats and we are seeing regulators increasingly interested in the technological security measures that organisations have in place to protect personal data. They will expect a robust security programme and evaluate the breach incident from that standpoint, particularly if there is sensitive or special personal data involved.
What strategies can organisations deploy when a data breach arises?
Stopping any further data loss is clearly a priority, but at the same time organisations should ensure they notify insurers to avoid any issues with failure to notify and not being covered. The insurers may also be able to or want to provide support in helping dealing with the incident, which you may wish to take advantage of.
Organisations should also take steps to protect the documents they create in relation to the incident if possible, particularly where what has happened and the potential consequences are uncertain. When it comes to internal investigations and legal privilege there may be distinctions between relevant jurisdictions and when internal or external legal counsel should become involved for the purposes of the documents attracting privilege; this should be considered as part of instant response planning and documented accordingly.
Another common error we have seen with international data breaches is failure to notify not only the affected parties and the regulator but also other potentially interested parties. In particular, and this relates to data mapping exercises, it is important to identify that personal information held by an organisation may be under the custody and control of another organisation and the responsibility of the organisation experiencing the incident is to immediately notify the controller. These concepts are much clearer under the GDPR than in some other jurisdictions and it is not always apparent which party is the controller and which party is the processor; the terms of relevant contractual agreements need to be reviewed and taken account of.
A common misconception is how low the risk of harm threshold is in some jurisdictions, in many jurisdictions including Canada, reputational risk or embarrassment is seen to generate just as serious risk as other forms of harm.
It is also important to keep in mind the big picture and that regulators will share information and to expect the unexpected. We have seen a number of examples where a regulator that a client has not engaged with has become aware of a data breach from another regulator or a third party source and has pro-actively approached the client to find out why the breach had not been reported to it. In some cases, those regulators has also enquired about the technological security measures the client has in place.
What about when the breach has been dealt with?
Any organisation that experiences a data breach should take the time afterwards to evaluate its response and the lessons that can be learned for next time if the organisation is unfortunate enough to experience a repeat incident. The experience of handling a breach provides a valuable source of information. Furthermore. regulators will expect organisations to take steps to avoid repeat incidents and those that do not risk enhanced regulatory activity, including fines. One lesson that we commonly see being learned is the issues that can arise through having applied a lack of resource to dealing with incidents involving data protection and cyber security more generally.