What every in-house counsel must know about handling data breaches

Posted on November 6, 2019

By Jeffrey Lim, Director, Joyce A. Tan & Partners

Jeffrey Lim

Introduction

When I was in-house, I was privileged to work for a very good mentor who was open about his list of issues he called “career killers”.  

To quote him: “If there is one thing you could do to shorten your career with us, it’s to drop the ball on these issues.”

He meant well.

At that time, that list of issues was short. But those were the good old days.

I have not caught up with him recently, but one issue is sure to have made its way to his list: Handling Data Breaches.

Here are nine (of the many) things that in-house counsel need to know in preparing to handle, or handling, data breaches.

One: You can be judged on your response

The following is a true story.

In the aftermath a data breach and in the fact finding that followed, a damning comment by an employee of an affected organisation surfaced.

This individual, who was in the chain of reporting said (on a secure but indelible chat record) that he did not want to escalate the detected breach, due to fear of being overwhelmed with the work that would follow.

Talk about career killers. I am certain that individual would have wanted to take that statement back.

In today’s regulatory environment, and with the legal liability framework in play, there is an undeniable duty to preserve records, and the response to a breach can be subject to as much scrutiny as the cause of the breach itself.

Two: Recovery work can be a long road. Hopefully, it is not made longer.

The path to recovery from a data breach is best expressed by John Milton in Paradise Lost: Long is the way and hard, that out of Hell leads up to light”.

Remediation involves addressing restorative steps, liability mitigation and reformative steps such as:

  • Preserving evidence,
  • Shutting down / eliminating security vulnerabilities,
  • Recovering lost data,
  • Instituting an internal investigation,
  • Planning for the next breach.

The process can be a long one, but if you are also undoing mistakes made in the course of the response to a data breach, it will be much longer.

Three: There’s more than one law

For in-house counsel, the legal landscape is particularly challenging, if only because of the following:

  • It is likely not one law, but a basket of them that applies. In Singapore alone, a data breach could trigger issues under the Personal Data Protection Act 2012 (“PDPA”), the Cybersecurity Act 2018 (“CA”), the Computer Misuse Act (now in its 2018 iteration) (“CMA”), and sector-specific legislation.
  • Each law comes with its own raft of regulations or guidelines (including hard and soft law).
  • The pace of development is phenomenally quick. As businesses digitalise, legal risks proliferate at the pace of technological change.

Unpacking the full applicable regime at work requires dedicated resources and effort. Staying on top of the law is a full time job.

One needs to be engaged with regulators, and keep a close eye on the horizon of legal developments.

Four: There’s usually more than one regulator

In Singapore, the agencies do a good job of taking turns and prioritizing their roles between them, but consider the following alphabet soup (non-exhaustive):

  • For the PDPA, there’s the PDPC (Personal Data Protection Commission)
  • For the CA, there’s the CSA (Cyber Security Agency of Singapore)
  • For the CMA, there’s the AGC (Attorney General’s Chamber of Singapore)
  • And if your company is in financial services, there is the MAS (Monetary Authority of Singapore)
  • Or if in telecommunication services, there is the IMDA (Info-communications Media Development Authority),
  • Or if in healthcare, there is the MOH (Ministry of Health).

Co-ordinating your responses, meeting expectations and managing communications with all the applicable regulators will require serious investment in planning and coaching.

Five: There’s usually more than one jurisdiction

Data breaches are almost always cross-jurisdiction, and this possibly means:

  • Different standards for handling a breach – e.g. differing response times or information requirements;
  • Different rules concerning whether communications with in-house counsel are accorded legal privilege;
  • Different legal standards in follow-up and remediation.

As many an in-house counsel who has managed cross border matters knows: it is critical to find the right expertise to help in each jurisdiction.

Six: The Solutions are not purely Legal, but Legal Thinking is Central

Responding to a breach is a team effort. If it is a cybersecurity breach, your Information Technology team is key. If there is consumer fall out, your Public Relations team is crucial.

But side-by-side with them should be the legal team. Data breaches are, after all, legal liability traps.

Just consider the following liability pools you could be dipped into:

  • Private action for breach of contracts (customers, partners);
  • Regulatory fines (which can be substantial and put a real dent in operating expenses and profits);
  • (if a defect in product or platform is involved) Product or service liability;
  • Acting in a manner to avoid exclusions under insurance coverage;
  • Negligence in handling remediation.

Remediation and responses to data breaches must be fundamentally informed by legal know-how.

Seven: Preparation now will reduce your work later. Significantly.

As another mentor from my in-house days was fond of saying: “A little work upfront, will save a lot work later.

Nowhere is this truer than in preparing for a data breach.

There is no time to design a data breach response program when a breach happens.

Actually, there is simply no time for anything at all – except for executing a pre-designed, road-tested, programmatically updated and refreshed and well rostered legal action plan.

It is the same thinking as conducting fire drills. Data breaches can unfold at a pace that does not allow time for hitting the drawing board.

The design and implementation of the following are indispensable:

  • A plan for hand-offs and escalation, focusing on speed of command, not chain of command
  • Allocation of responsibilities where the right team members are involved, and also, practically and effectively rostered
  • Operating procedures or playbooks that are easy to follow
  • Knowledge resources that are to the point and provide practical clarity

Where does legal sits in all this? See point six above.

Eight: Preparing for data breaches pays for itself

You may have heard this before, but it is worth reviewing the business case for undertaking preparations for a data breach again, with the top 3 reasons being:

  • Data breaches can impact the financial bottom line (1) – Whilst fines under the EU General Data Protection Regulation can be high (in the highest instance, up to €20 million, or 4% of annual global turnover). Fines in other jurisdictions are not miniscule either. Singapore recently fined one organisation S$750,000 for a breach in 2018. Consider the multiplier effect when more jurisdictions are added.
  • Data breaches can impact the financial bottom line (2) – Fines are one thing, the directions and orders by regulators to remediate come with their own price tag. You could be compelled to invest in security measures, or other steps, and lose some control over how you would control costs.
  • Data breaches can impact the financial bottom line (3) – I personally think “reputational damage” is not an effective descriptor. “Customer flight” drives home the point.

Nine: Practical, not cookie cutter

Response plans and coaching should be practical.

Whilst much specialist legal advice is needed to navigate this space, it is also important to blend the advice with an in-house counsel’s expertise in handling stake-holders and knowledge of complexities in running the business.

It is a skill to translate advice into practical steps, and even “go / no-go” decisions, “dos and don’ts”, “step-by-steps” and “game plans”.

There will always be organisational customisation and legal process thinking that needs to be done. Do not implement “off the shelf” solutions.

Conclusion

We do not choose what gets on the list of career-killer issues. Times have changed and data breach is now on that list.

Like Shakespeare’s quote on greatness, data breaches can be thrust upon us. But like the great bard said: “let thy blood and spirit embrace” the solutions needed.

 

 

Related Articles by Firm
Three things about tackling Singapore’s Payment Services Act 2019
The PSA was passed at the start of this year and will come into full effect at the end of this year.
Related Articles
Vietnam’s Land Law Overhaul: Transforming Land Acquisition for Project Development
Investment Opportunities in the Philippines
The Greater China IP Updates – April 2024
Related Articles by Jurisdiction
Latest Articles
Vietnam’s Land Law Overhaul: Transforming Land Acquisition for Project Development
In-House Insights with Kenneth Wong of LINK REIT
M&A Arbitration in Vietnam