How to form a holistic corporate strategy bringing together legal, forensic, cybersecurity and communications perspectives.
In today’s context of public concern over data privacy and proliferating data protection laws, organisations face multifaceted challenges when responding to a cyber incident, whether the incident is data exfiltration or the misuse of data entrusted to companies. Threats could be external or internal, malicious or negligent. The consequences can range from technical to reputational and even criminal (both for the company and its senior managers). To add pressure to this complexity, authorities may expect potential incidents to be reported quickly – namely, the EU GDPR’s 72-hour data breach reporting requirement. Failure to do so could lead to regulatory fines that can apply to any sector and reach amounts that dwarf serious financial crime penalties. What can companies do today to give themselves the best chance of maintaining authority and credibility when – not if – an incident arises?
FRA Partner Simon Taylor joined a panel of legal, cybersecurity and communication experts in London on 23 January, to share his insights with an audience of in-house legal and compliance professionals on the critical elements to piece together when companies respond to cyber incidents.
Assess your In-house Capability
Any organisation with a computer must accept some level of data governance risk, but it is unlikely that all companies have comprehensive in-house crisis management resources standing by in the event that this risk manifests. The threats are multi-faceted: increasingly sophisticated attacks, demanding regulations, intensifying media attention and evolving best practice in risk management. When a crisis hits, you need to assemble a multi-disciplinary response team that extends beyond IT alone, potentially including human resources, finance, internal audit and compliance teams. Given the varying scope of data privacy laws in different jurisdictions, it will likely take a combined effort to respond in a compelling way to the data protection authorities.
Together with the appointment of an internal team, management must carefully consider if the company has the degree of expertise or bandwidth to respond effectively to all aspects of the crisis, particularly if it spans multiple jurisdictions. External counsel may be needed to assess the reporting obligation or highlight potential follow-on litigation, such as class actions. Independent forensic investigation experts can help establish the fact pattern, essential for urgent and well-informed decision-making, while ensuring any internal investigation is performed in a forensically robust manner to withstand regulators’ expectations. Furthermore, Stroz Friedberg VP Heidi Wachs noted that even companies with sophisticated internal IT operations teams might need external cybersecurity specialists to trace the root of an incident and chart an effective plan of action to ensure commercial operations are up and running as quickly as possible.
Cooperate and communicate to mitigate the damage
Whether to clients, the public or the regulator, failure to communicate swiftly can have significant reputational and financial repercussions. In many spheres of alleged corporate wrong-doing companies have the luxury of conducting their internal investigations confidentially – GDPR has changed the game. In the age of GDPR and intense media scrutiny, a company no longer has the option nor the time to investigate in private. Depending on the nature of the compromised data, the GDPR requires that companies report incidents to the respective competent authority and potentially to data subjects as well.
It is very early days in the development of a GDPR fine regime to understand and predict an enforcement authority’s approach to the calculation of a financial penalty. The few notices of intention to fine or fines that have been publicised reveal some inconsistency from one jurisdiction to another. The UK ICO’s proposed “mega fines” of 2019 suggest they may be taking a ‘top down’ approach, considering the maximum ceiling of 4% global annual turnover as an initial figure, and working downwards balancing mitigating factors and the need for a deterrent. For example, Jenner & Block’s Kelly Hagedorn and FRA’s Simon Taylor agreed that the UK ICO seemed to be taking any failure to adhere to the 72-hour reporting requirement as a serious aggravating factor in determining penalties in GDPR data breach cases. In other EU jurisdictions where 2019 fines were smaller, regulators may have taken a ‘bottom up’ approach, building up the quantum of the fine based on case-specific factors.
In FRA’s experience with regulatory fines in other areas, a number of discounts and reductions can be negotiated if the company is cooperative and demonstrates that proper technical controls and compliance programmes were in place. As Simon Taylor highlighted, the authorities would be aware of the need to defend their imposed fine robustly should the penalised parties ever challenge it in court, so there is incentive on both sides to negotiate.
Establishing a credible public voice
Instances of corporate data breach and misuse are firmly in the media’s crosshairs. As seen in the recent Travelex ransomware attack, even if a company believes it has fair reason not to report an incident, keeping the matter quiet does not avoid a public furore if journalists interpret a company’s silence as negligent or even dishonest. Portland Communications’ Steve Morris advised companies to establish their own platforms and channels for communicating with the media and public when in crisis mode. Be in charge of the story by being the authoritative source of facts, rather than reacting. The public is much more likely to be forgiving if companies are seen to be transparent and responsible.
Involve the board
If the potential extent of regulatory fines, reputational harm and technical damage to business operations were not enough to draw board members’ attention to cyber incident response planning, the emerging regulatory trend of accountability at the board level should do it. A key milestone is the US Federal Trade Commission’s settlement order (2019), which requires Facebook to “restructure its approach to privacy from the corporate board-level down” and implement mechanisms to ensure executives are accountable for decisions about privacy. There are signs that this mandatory reporting to the board is gradually gaining traction in other jurisdictions.
Build the narrative, starting now
For a company to speak credibly and authoritatively in times of crisis, the fact pattern must be established. At the point an incident is triggered, a high calibre and forensically sound investigation is needed, as has been the case for many years in financial crime compliance. The challenge in cyber attacks and incidents of data misuse is that the timeline for investigation is heavily compressed by GDPR requirements and the need to make public disclosures.
Establishing appropriate ‘technical and organisational measures’ is the best, and only, defence given the inevitability of a cyber breach or the misuse of data. This is an exercise that can begin now and needs to be constantly refreshed. Seek advice from your legal, forensic, cybersecurity and communications experts on proactive risk assessments and contingency planning that can be initiated in advance of a crisis.
The above is a summary of “Responding to Cyber Incidents”, which took place on 23 January 2020 at The Ivy Club, London.
• Paul Feldberg, Partner, Jenner & Block