Presented by Dr Sam De Silva, partner at Nabarro to over 100 CEOs and Executives in London.
Explains what leaders should do immediately after becoming aware of a cyber attack, from a legal perspective.
2. First presented in Oct 2016. For other presentations at this event
www.linkedin.com/company/cyber-rescue-alliance
3. Cyber Attacks
Dr Sam De Silva
Partner – Head of the Commercial IT &
Outsourcing Group, Nabarro LLP
International Advisory Board – Cyber Rescue
Alliance
13 October 2016
A Legal Toolkit to Manage Risk
4. • Action on becoming aware of breach
• Notification
• Contractual analysis – breach caused by a counter-party to a contract
• Further investigations and lessons learned
• Key action points
Outline
5. • Mobilise the Incident Response Team (IRT) and implement Response Plan
• Specialists across the business:
– HR, IT, security (IT and physical), legal, compliance, PR
– internal and external (particularly, IT, PR and legal)
– appropriate seniority
• Trained in advance (and rehearsed various scenarios)
• Clear about who is taking ultimate responsibility
• Need to understand and be aware of sector specific legislation / guidance
• Work with external lawyers to manage the creation and distribution of documents during the
response to the incident to maintain both confidentiality and privilege in documents
containing legal advice
Immediately after Becoming Aware
of an Attack
6. • Implement the steps required to stop or contain breach
• Many attacks are on-going and repeated - may involve the temporary suspension of
affected systems or websites
• If the ICO is notified or becomes involved in a data security breach:
– will want to know what has been done to stop or mitigate the breach
– what the business will do to ensure future compliance
Initial Damage Limitation
7. • Verification
• What has happened to the data
• The type of data affected
• The degree of sensitivity of the data
• Any protections in place, such as encryption
• How many individuals involved
• Who are the individuals
• The potential detriment to individuals
Breach Impact and Risk
Assessment
8. • Seek legal advice
– Payment of ransom may be a criminal offence
• Validation
• Technical solutions
Responding to Threats and
Extortion
9. • ICO / Regulators
– no regulatory obligation to notify ICO [current law]
– notification for "serious breaches“
a large volume of personal data is involved and there is a real risk of
individuals suffering some harm
breach concerns information that if released could cause a significant risk of
individuals suffering substantial detriment - sensitive personal data
– legal requirements to notify, under sector-specific legislation
– contractual requirements to notify
• Insurers
• Bank / credit card companies
• Police
• Data subjects
Consider who Needs to be Notified
10. • ICO cautions against the dangers of "over notifying" data subjects
• Need to consider:
– how notification could help the individual
– providing assistance in dealing with practical issues, e.g. identity fraud checking services
– most appropriate way to notify, taking into account the security of the medium as well as
the urgency of the situation
• Notification could include
– a description of how and when the breach occurred
– what data was involved
– details of what has already done to respond to the risks posed by the breach
– contact details for further information or to ask questions, such as a helpline number or
web address
• Seek legal advice prior to any notification
Notifying Data Subjects
11. • Do you have a claim for breach of a specific data protection or security obligation?
• Consider a claim or any liability for breach of confidence or a failure to take reasonable skill
and care
• Does the breach give rise to a right to claim damages?
• Is the value of the claim limited by the contractual limit of liability?
• Are the costs incurred as a result of the breach recoverable?
• Can any liability you may have following the sanctions taken by the ICO be transferred to the
data processor?
Check the Contract (1)
Breach caused by a counter-party to a contract
12. • Does the breach give rise to a right to terminate the contract?
• Consider whether the breach is sufficiently serious to give rise to the right to
terminate the contract at common law for repudiatory breach
• Does the data security breach trigger any other aspects of the contract, such as
audit rights or the implementation of business continuity and disaster recovery
plans?
• Are there are any specific contractual administration matters that need to be
observed to preserve rights, such as compliance with notice provisions or prescribed
alternative dispute resolution procedures?
Check the Contract (2)
Breach caused by a counter-party to a contract
13. • Investigation to include a review of whether appropriate security policies and
procedures were in place – were they were followed?
• Where one or more data processors may have caused the breach, consider whether
adequate contractual obligations were in place to comply with the DPA – are they in
breach of contract?
• Where security is found not to be appropriate for the purpose of the DPA, consider
what action needs to be taken to raise data protection and security compliance
standards to comply with the DPA
• If the ICO is notified or becomes involved in a data security breach - likely to request
this information
Further Investigations and
Lessons Learned
14. • Verify the breach
• Determine the extent of the breach
• Contain the breach
• Consider what data is affected, if any, and what risks arise as a result
• Consider whether there is a compulsory requirement to inform anyone (regulators, data subjects,
suppliers, and so on) of the breach, or if there are good reasons to do so even if there is not
• Consider any communications in the light of regulatory requirements, public relations
considerations and litigation risk
• Review and modify systems and processes in the light of the experience to limit the risk of
reoccurrence and to make sure the response is as effective as possible if it does
Key Action Points
15. Dr Sam De Silva
T +44 (0)20 7524 6223
s.desilva@nabarro.com
Thank You
17. Example Alliance Partners
Security Scorecard to
auto review Suppliers
Cost effective online
Staff Training
SEC-1 to conduct
penetration testing
18. Join Cyber Rescue
Cyber Rescue is a Membership organisation that helps CEOs lead recovery from cyber attack.
Cyber Rescue operates in 9 countries across Europe, helping leaders protect reputation and
revenues when hackers break through.
Members benefit from Executive Role Plays, bespoke Commercial Response Plans, and expert
Coaching during a catastrophic breach. Cyber Rescue's advisors have led response to
thousands of cyber attacks and hundreds of breaches. The Cyber Rescue team have expertise
the many functional areas that are impacted by a successful cyber attack, for example Legal,
PR, HR, Operations, Finance and Customer Service, as well as IT Forensics and Remediation.
+44 (0)20 7859 4320
www.linkedin.com/company/cyber-rescue-alliance
Hinweis der Redaktion
Welcome, to CEOs leading Recovery from Cyber Attack.
Welcome, to CEOs leading Recovery from Cyber Attack.