UK Data Risks Incident RoadMap

Transcription

1 Data breach summary steps Hiscox s data breach Experts

2 Knowing what to do in the event of a data breach ( security incident ) can make the situation much less daunting when it may seem like your house is falling down around you. As part of your Hiscox Data Risks policy, we have produced this UK Incident RoadMap. It can sit alongside your own more detailed Incident Response Plan and help your Incident Response Team manage a security incident. This Incident RoadMap could also be used as a basis for your Incident Response Plan, as a training aid or as a practical guide. Note, however, that this is a broad guidance checklist and is not intended to provide legal advice. The circumstances of any security incident can vary widely and specific advice should be sought in particular cases. It is important that you consider early on what external advice is required and whether any of the following actions will need to run simultaneously. IMPORTANT: Complying with the guidance in this note does not remove your need to notify Hiscox. You should check the wording of your policy to ensure that any obligations are complied with. With a growing number of security incidents, it is good practice to prepare and adopt an Incident Response Plan in advance of it being required to enable you to quickly contact your core team i.e. the lead identified in the Incident Response Team - and move into action immediately once you are made aware of problems. In these cases speed can be of the essence. The Information Commissioner has the power to impose financial penalties on an organisation if satisfied that there has been a serious breach of one or more of the data protection principles by the organisation and the breach was likely to cause substantial damage or distress. The possibility of a penalty can be exacerbated by a failure to handle a breach properly. One of the first steps to take when you suspect a security incident is to notify the Incident Response Team and all staff should know how to do so. The core team should consist of employees from a number of departments across the organisation, for example legal, IT Security, audit, finance, HR and public relations. It is important to appoint one person as the leader of the Incident Response Team and that person should be responsible for managing any communications to people outside this core team. In most cases, the Incident Response Team will not only involve your local Hiscox Data Risks Expert, but also our specialist partners, which may include IT forensics, legal experts, public relations, call centre, notification and credit protection service providers.

3 Actions 1. Decide on who should take the lead on dealing with the security incident; ensuring they have the authority and, if necessary, budget, to employ the appropriate resources. Ensure that the lead informs one person from the senior management team (CEO, COO, CIO etc.) about the security incident. 2. Establish who within the organisation and externally beyond your Incident Response Team needs to be made aware of the security incident and inform them of what they are expected to do to assist. Advise team members and others to observe confidentiality until you have made any disclosure decision. 3. Assess whether your organisation acts as a data controller or a data processor? If you are the data processor, the relevant data controller should be notified about the security incident. The onus will be on the data controller to determine the response to the security incident. It is possible that there could be multiple data processors and data controllers. 4. Ensure that every person provided with information about the security incident understands the need for confidentiality. 5. Do not broadcast the problem until the situation and the relevant factors are established. In particular, beware of tipping off anyone who might be able to take advantage of weaknesses in systems. 6. Consider whether either in-house or external expertise is required. Remember that inhouse legal advice will not be protected by legal professional privilege. 7. Task the security / IT support team to provide an immediate response to assess the best way to rectify the security incident and, if the security incident poses a continuing risk, ensure that this is done as a matter of urgency. The security / IT team should also be tasked to investigate the cause of the identified weakness, limit the damage and recover lost data if possible. When possible, retain, isolate, and make back-ups of the systems and information affected by the security incident. The investigation and remedial action will be fact specific and the project may have to be done in stages. Set timelines for reports, and ensure all issues / considerations / actions are appropriately recorded. 8. Throughout the process ensure that all investigations are properly documented and could be made available for subsequent review or audit. Risk assessment 1. Assess your contractual obligations and liabilities if you are a data processor and if you are the data controller, what contractual obligations and liability any data processors may have in connection with the security incident. 2. Carry out an initial risk assessment which can be added to as the IT / security reports become available. In doing so have regard to the guidance from the Information Commissioner's Office and any other regulatory guidance. Consider: a. What type of information is involved? Is it commercial or personal? b. What can happen to the information? How could it be used to a detrimental effect? What actions could be taken to deal with those effects? c. How many individuals' personal data are affected by the security incident? d. If data has been lost or stolen, are there any safeguards in place such as encryption? e. Is it a 'serious breach' in terms of the DPA? For serious breaches of the DPA, the Commissioner, in addition to its other powers under the DPA, can impose monetary penalties of up to 500,000. A serious breach will include where the data controller either: i. deliberately contravened the Data Protection Act; or ii. knew or ought to have known that there was a risk the contravention would occur, and that it would be likely to cause substantial damage or distress, but still failed to take reasonable steps to prevent it from happening.

4 Notification 1. Consider whether you have obligations to notify the security incident and who might need to be notified. Those you may need to notify might be regulators, commercial partners, joint controllers, individual shareholders, customers or third parties such as the police, insurers or trade unions. List all and note your decision. In particular consider: a. Have there been any criminal activities and, if so, have the police been notified? b. Are you subject to FSA or PCI DSS obligations? c. Are you a provider of telecommunications that has to comply with the Privacy and Electronic Communications Regulations? d. Do you have contractual obligations to any party? e. Do you have common law obligations to any party? For example, has any confidential information been disclosed? f. Do you have sector or other policy obligations to notify the ICO? g. Do you consider you should voluntarily notify the ICO? h. Consider notifying other stakeholders. 2. If you are notifying individuals, consider whether you would need to notify the ICO. 3. Ensure that if notification is chosen the material submitted to regulators meets the requirements stated in any guidance. 4. Consider how notification can be made appropriate for particular groups of individuals. If you are notifying a commercial partner can you agree on confidentiality? Control of communications 1. If the security incident is going to become public consider how you handle the PR and ensure that all public interfaces are appropriately managed. 2. If you are notifying individuals consider having a press statement ready before you do so. You may also need to set up a call centre to deal with queries, giving the staff preprepared scripts to handle frequently asked questions. Evaluation 1. Report upwards in the organisation in an appropriate manner and ensure all decisions are signed-off at an appropriate level. 2. Review any HR implications, for example if the weakness was caused by failure by staff to meet company security or IT use standards. 3. Ensure that the remedial action deals with both putting any weakness right and closing any loopholes in the processes and systems. This may including updating existing policies to reflect lessons learned from the security incident. 4. Consider whether staff issues are involved or disciplinary matters arise. 5. Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice. 6. Evaluate the performance of the Incident Response Team in dealing with the security incident.

5 Hiscox s Expert Partners In the unlikely event that you are unable to reach the Hiscox Data Risks Team, you may wish to contact a legal, forensic or PR expert for initial advice. In this instance, you can contact any of the below firms. Law Firms Pinsent Masons Pinsent Masons Cyber and Data Breach breach@pinsentmasons.com Contact 1: Marc Dautlich Marc.dautlich@pinsentmasons.com Office: Mobile: Contact 2: ian.birdsey@pinsentmasons.com Office: Mobile: Wragge Lawrence Graham & Co Contact 1: Kirsten Whitfield kirsten.whitfield@wragge-law.com Office: Mobile: Contact 2: Patrick Arben patrick.arben@wragge-law.com Office: Mobile: IT Forensics KPMG Contact 1: Darren Pauling darren.pauling@kpmg.co.uk Office: Mobile: Contact 2: Aaron Stowell Aaron.stowell@kpmg.co.uk Office: Mobile: Stroz Friedberg Contact 1: Seth Berman sberman@strozfriedberg.co.uk

6 Office: Mobile: Contact 2: Spencer Lynch Office: Mobile: PR Hill & Knowlton Contact 1: Giles Read Office: Mobile: Contact 2: Tim Luckett Office: Mobile: Reminder: This document is a broad guidance checklist and is not intended to provide legal advice.