Legal, privacy and investigations professionals are all familiar with nightmare data breach stories. We know that organisations around the world suffer incalculable losses due to data breaches, including reputational damages. With this in mind it is sobering to see that executives do not see their companies as having improved much in terms of readiness to respond to data breaches in recent years.

Does this attitude signify widespread pessimism and hopelessness, or a refreshingly realistic posture in the face of one of the biggest dangers for any organisation? After all, we understand the anatomy of data breaches better than ever before, and boards are starting to take data breach response protocols more seriously. However, confronting a hypothetical threat is very different from responding to the real thing.

At A&M we regularly work on data breach responses with a variety of corporate clients. There are a few common threads that define the most successful data breach responses, which we discussed on a recent webinar in association with Global Investigations Review. Cyber, forensics and privacy components are at the core of successful data breach responses. When each component is executed in a cohesive way, the consequent data breach response helps companies preserve critical data and intellectual property while safeguarding brand reputation.

The cyber response

Too often, management simply don’t know what to do when an attack or data breach is uncovered. Failing to integrate the different response initiatives and adopt centralised control is unlikely to lead to a successful response.

With this in mind, the first key action taken should be to establish a 24/7 war room that brings together key internal stakeholders (CEO, CFO, CRO, COO, CIO, CISO, General Counsel, CHRO, the Data Protection Officer and potentially others depending on the organisation). You will also need to involve key partners who bring outside expertise in legal, insurance and communications.

The first job is to gauge what damage has been done. Is the production of goods or delivery of services compromised? Has personal data been affected? Establishing connectivity is vital, particularly in a remote working situation. Can you reach all your other offices and all relevant individual stakeholders who will be needed in the response?

It is worth reiterating that key stakeholders go well beyond the IT team. Take a ransomware attack, for instance. As well as technical discussions, you will need to establish with legal counsel whether a ransom payment is legal; determine with your insurer whether the payment will be insurable; and construct a message for customers, partners and media with crisis communications experts.

During this process the CEO should function as the conduit between all internal and external allies. This will help information gathering happen in a structured and coordinated way, in turn aiding the delivery of robust forensics and privacy responses (see below). ‘Lessons learned’ exercises should commence as soon as possible during the investigation itself, focusing on the activities that will mitigate the damage done to critical business assets in the event of another attack.

The forensics response

• The key questions from a forensic point of view inevitably concern data. Is any data missing? If so, which pieces of data, and how much is gone? We adopt a five-phase approach when addressing the forensic element of a data breach response.
• Use network and system data to understand what normal looks like, so as to acquire a sense of where anomalies exist and to acquire the relevant data.
• Create a chain of custody that preserves solid evidence of what happened when. This is essential further down the line if in-court testimony is required.
• Detailed analysis: assess network data, log files, server data and more. The central goals here are to paint a clear picture of what has happened and in so doing establishing whether personal data was compromised and how many records were affected. You should also aim to ascertain whether the attackers still have access to any part of your ecosystem and, if not, how long the attack lasted.
• Once these stages are complete reporting can begin. Internal documentation of everything relevant is a must, and if appropriate an expert witness report should be commissioned.
• The last phase involves testimony in court should this situation arise. The work done through the earlier phases will aid the objectivity and thoroughness of any official testimony.

You should seek to put in place a framework that adequately protects data according to its importance, with more spending being allotted to the data that underpins critical systems. (This includes holistic measures such as security awareness and effective training for staff.)

The privacy response

Data breaches involving personal information concern different stakeholders in very different ways. There is the direct impact on customers and data subjects whose personal information may have been breached, of course. But regulators are another critical concern. One of your first actions following a data breach should be preparing to notify the appropriate regulator within the stipulated time period (in some countries within 72 hours from the discovery of the breach). On top of this, supplier and partner agreements may include data breach notification clauses. 

All this means that you could have several notifications to make. Understanding which stakeholders and jurisdictions are involved, and what information is required to be disclosed in the notifications themselves, are essential components of any data breach response. Happily, they can be managed ahead of time by creating tailored trackers and templates and understanding the right format for responses to regulators.

More technical security considerations include understanding the robustness of encryption used and the depth of the data stores affected.    

Once again, communications can make a big difference in managing your response. Setting up dedicated microsites, phone lines and social media accounts for affected data subjects can improve the speed with which complaints and other privacy issues are triaged and addressed, without overwhelming business as usual. Speed of action is the number one determinant of a successful response and can materially affect your perception in the eyes of regulators, investors and customers.

In summary: a ‘data breach ready’ mindset can pay dividends

Too often, words like “rush”, “panic” and “frantic” come up when companies speak about data breaches and the resulting investigations. But these are the traits that most often lead to inadequate responses, risking greater financial loss, intellectual property infringement and reputational damage. Instead, you should remain calm, get the right professionals involved, and plan out what needs to be done with the aid of pre-prepared documentation.

This involves a substantial amount of work ahead of time. Do your ‘war room’ stakeholders know their roles? Do you understand what normal looks like for your organisation, so as to provide a head start for the forensic analysts? Do you have templates by which you can notify regulators, suppliers and customers of the breach? Taking these steps can help to fix the roof while the sun is shining, preparing the business for an effective data breach response. Being ‘data breach ready’ can mitigate financial and reputational risk and provide a stronger platform from which to rebound.

A&M: Leadership. Action. Results.

Corporates, private equity, and law firms around the world rely upon independent experts in high-stakes disputes, litigation, investigations, cyber security and privacy matters. Alvarez & Marsal’s (A&M) recognised experts are responsive, hands-on, and credible with management teams, in-house counsel, regulators and government entities. We not only bring strong industry expertise in a wide range of sectors, we also bring value to every phase of a dispute or investigation, including early case assessment and strategy, discovery, damages analysis, adjudication, settlement and remediation. A&M’s experts have extensive experience analysing complex data, navigating privacy and cybersecurity challenges, developing and implementing solutions to address business-critical risks.