Bracing for the Breach: Part III

In the two previous columns, I looked at the various factors you need to consider before you can meaningfully craft your Data Breach Preparation Plan (DBPP). Now you’re ready to put together this all-important playbook that sets out who does what when that gut-wrenching realization arrives — “we’ve been hacked.” ...
Bracing for the Breach: Part III
George Takach, McCarthy Tétrault LLP
In the two previous columns, I looked at the various factors you need to consider before you can meaningfully craft your Data Breach Preparation Plan (DBPP). Now you’re ready to put together this all-important playbook that sets out who does what when that gut-wrenching realization arrives — “we’ve been hacked.”

Who’s on the Team
I know it sounds trite, but the DBPP has to list who is on the data breach response team. Clearly, IT security and IT operations people are; as is the chief privacy officer; and so is in‑house and external legal counsel. But you also have to be thinking about representatives from public relations, operations and typically, if you are a financial institution, compliance.

You should also have on speed dial a reputable and experienced data forensic investigator. This is the crack team that is brought in, very early on, to assess the nature and extent of the data breach. The forensic investigators will assess what data, exactly, was accessed by the unauthorized third party. They will then determine whether such data was copied and removed from your servers.

In many cases, the forensics experts will also advise as to what precise measures you can take to contain the data breach. This means giving these investigators very prompt and full access to your complete computing environment. In turn, the forensics people need to know how to handle the technical environment so that digital evidence is preserved in a manner that makes it useable in any subsequent civil or criminal legal proceeding.

Preserving Legal Privilege
One important element the DBPP should allude to is the question of maintaining and preserving legal privilege. I was recently retained on a data breach where the scope of the mandate included an analysis of the potential legal liability flowing from the breach. In this case, I retained the forensic expert to assist me, with the result that the materials prepared by them for me (which was then used as input to the legal assessment of liability) would be subject to legal privilege. This was important in the context of any subsequent litigation that might be brought against my client flowing from the data breach.

Incidentally, it’s also worth noting that, once a data breach comes to light, the DBPP should remind the response team that all relevant evidence must thereafter be preserved. Therefore, at that point, even if, for example, you have a company‑wide policy of periodic deletion of emails that are a certain number of months old, that policy must be suspended in favour of preserving everything henceforth.

Patching Vulnerabilities
There’s another useful role often played by the data forensics team — namely, a determination of what vulnerabilities exist in your IT systems that should be promptly repaired. Put another way, the forensics team shouldn’t be viewed only as a responsive measure, brought in to review what went wrong “this time,” but also to advise as to what can be done to reduce the risk of a similar incident in the future.

It is for this reason that, when I’m asked to recommend a forensics expert to a client, I like to suggest a shop that can do the data-sleuthing, but then can also bring IT design skills to the mandate for this broader, IT development role.

In short, you have to do meaningful due diligence on your technical experts, well before the data breach incident, so you are not running around in a panic at the time a data breach hits you.

Who to Notify — and When?
Once you have the data forensic team’s report in hand, you now have visibility into the scope and nature of the breach, and you will be able to address one of the most sensitive steps in the DBPP: who do you notify, and when, and what exactly do you say? Given that at this point in the breach – likely two or three days since it was detected – you are probably running on very little sleep, it’s extremely helpful for the “data breach playbook” to set out the specific steps to be taken next.

With internal and external legal counsel in the huddle, a principled decision can be made as to who is notified, and how. And remember, the list may be longer than simply your customers. If the hacker got into your company’s HR system, then employee data may be compromised.

As for who to notify, if there is any risk that the stolen information would lead to material financial or health-related harm, then in Canada one thinks seriously about alerting law enforcement. And even if this factor is not present, there is the fairly new requirement for mandatory breach notification in the recently amended federal data protection law, so long as the breach meets certain criteria.

If you have customers from around the globe, the DBPP will tell you that your job in terms of notification is more complicated. What does the data breach notification legislation say in each US state where you have customers? What about the different countries of the European Union? Again, the DBPP should be clear on all this beforehand, so that you’re not just starting to figure all this out when you’re under the time pressure of an actual breach incident. Forewarned is forearmed.

The Insurance Question
Another item in the breach preparation plan that requires some serious advance work is related to insurance. Again, on the assumption that it is only a matter of time before your organization is hit with a data breach (and not “if” you will be hit), it really does behoove you to review what insurance coverage you have in place for the kinds of risks that arise when hackers get into your computer systems.

As part of this review, you need to understand your “first-party” liability — what costs, expenses and damages would befall your organization in the event of a data breach? After that, you need to consider the “third-party” liability issues — what damages would impact your customers, or business partners, if their data, stored on your systems, was impacted?

What’s clear from the litigation over insurance coverage is that many traditional policies don’t really apply to the new cyber-risks. The insurance policy is often more oriented to the 20th-century world of physical risks, and the so‑called digital realities of the 21st century simply haven’t been reflected in the policy.

If this is your case, you need to consider what more “modern” fact patterns cyber-risk policies might cover, and whether the cost of their coverage is worth it for you. And again, like several of the other issues raised above in the DBPP, it’s too late to be doing this risk-management assessment once the hackers have compromised your systems (just as you can’t buy insurance for a burning house).

Testing the DBPP
I like to say to clients, “If you have a DBPP, and you haven’t tested it in the past six months, you actually don’t have a plan.” This is so because no plan that is simply on paper can really capture all the nuances and twists and turns of the real world.

For example, your DBPP may have a business-hours dimension built into it. Well, the sad reality is that a lot of hackers operate on the evenings and weekends. So, your test will tell you just how many people you need as backups to the key names listed in the DBPP. And possibly backups to the backups. You get the idea. And, by the way, you should run the test on a weekend.

The results of the test of your DBPP should be discussed at the highest levels of management within your organization, possibly even at the board. As I’ve mentioned in the previous columns, the overarching issue of cyber-security – and the risk-management processes and controls that should be developed and implemented for it – are very much topics for C-suite and board consideration.

To be clear, a DBPP – even one that is tested periodically – is not a silver bullet; it is no panacea. And the evidence indicates (as covered in my two previous columns) that the hackers are getting smarter and more determined. But in a world where data breaches are as prevalent as they are, the DBPP is an important tool with which to manage an important risk facing you.

The unfortunate reality is that your organization is now so digital and networked that, while this brings great benefits to you, it also makes you very vulnerable to modern-day criminals. Therefore, part of the significant financial benefit offered by computerization needs to be invested in a robust Data Breach Preparation Plan, so that you can at least partly mitigate the adverse side effects of our digital world.

George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law.

Lawyer(s)

George S. Takach