Published in Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2018
By Ling Ho, Donna Wacker, Lijun Chui, William Wong and Nigel Sharman of Clifford Chance
Proper preparation and planning can help organisations set out a clear path for responding to a cyber breach
An unexpected phone call, an unwelcome email. The first signs perhaps that corporate IT systems have been compromised, with the attendant risks of financial loss, disastrous publicity and evaporation of trust, combining together to lead inexorably to possible corporate ruin. So, what should your first reaction be? Who should you call? What should you do?
We look at a possible scenario and seven lessons we can learn about handling what may quickly turn into the biggest corporate crisis your company has faced in its lifetime.
An unusual Monday
It is Monday morning and Julia returns from a weekend away to her job as General Counsel of the online shopping startup, “ToyzForKidz”. The company has been an early adopter of cloud technology and big data. While it has invested heavily in developing the online customer-facing interface and IT infrastructure, it does not have a cyber security incident plan.
An email hits Julia’s inbox at 8.40am from the head of IT, Eddie.
“We had an incident this morning. One of our main data centres in Singapore may have been hacked. We don’t know how many customers may have been affected yet, but the centre holds the details of all of our 650,000 customers across the globe, including their email addresses and credit card details. We are unable to access any of our systems. The monitors are showing a picture of a shadowy masked man demanding US$1 million before we can get back in. I have told the boss. Let’s speak ASAP.”
While Julia is still digesting the email, John, Director of Communications, walks in:
“Did you hear about the cyber attack? I had a few newspapers from different countries on the phone just now telling me they are about to break a hacking story. Apparently, people have contacted them saying that unauthorised deductions have been made from their credit cards. We need to decide what to say.”
Before Julia can respond to John, she receives a call from Jason, the CEO. “Can you come to the collaboration area as soon as possible please? We have to decide what to do now. I am thinking to pay the ransom, pay off the affected customers and deny these stupid hacking rumours. We can’t afford this getting published!”
Julia tries to look through the deck of business cards she has received from law firms and realises that she does not know which firms have the relevant experience and expertise in cyber incidents on such a potentially huge worldwide scale.
Lesson 1: The missing plan
The responses from Eddie, John and Jason are a natural consequence of the absence of a cyber security incident plan in ToyzForKidz. This may prove costly — when a crisis happens, it is tempting simply to rush in headlong to try to fix the situation which may result in bad judgment calls. The amount of time required to make decisions can be shortened substantially if the issues have already been properly considered and rehearsed in advance. Having a fully functioning response team ready to go can help reduce the cost of a data breach.
A proper cyber security plan should identify the incident response team members (including the emergency contacts of external counsel), set out who is responsible for what, describe the escalation matrix, include a template for statements to be released to employees, the media and customers, and explain what to do in the case of a ransom demand.
As incident response is multifaceted, building the right response team will demand a range of capabilities from across human resources, legal, IT, public relations, security and business functions. The team should ideally be led by someone who can direct other business units during the investigation. For many organisations, this individual may be the CRO, CIO or CISO.
The incident response plan should be kept in several hard copy manuals that are readily accessible in the offices of the key staff likely to be involved. There should also be regular rehearsals that allow staff to familiarise themselves with the steps set out in the plan.
Lesson 2: Priority actions
Ascertaining the key facts is always the most important first step. An investigation which starts before basic facts are confirmed can become unfocused and result in wasted time and resources. In this case, one of the first key steps would be to determine the number of customers whose personal information may have been compromised. Offering compensation to any customer without ascertaining the full scope of the breach may have unintended consequences and tie the hands of ToyzForKidz in handling future complaints.
In the initial response stage, you should assemble the response team, review network-based and other readily available data, determine the type of incident and assess the potential impact with a view towards gathering enough initial information to allow the team to determine the appropriate response.
IT specialists, internal or external, should be engaged to advise on investigating and containing the breach. Containing the breach may require all networked devices to be taken offline and an assessment made of which PCs and servers may have been affected. In the absence of confirming how the attacker gained access or what else the attacker may have done, you may not be in a position to start addressing the problem immediately. Taking action too soon may mean destroying vital evidence that could help you make significant progress in your investigation. Taking action too late could mean that you remain vulnerable to attack. It is therefore important to determine the timing of remediation with the appropriate specialists.
Once the key facts have been ascertained, depending on whether the business affected is in a regulated industry (such as financial institutions) and the applicable personal data laws, it may be necessary to notify regulators. There may be “breach notification” requirements that oblige the company to provide notification to regulators within a certain period, say between one and 72 hours after the event occurred. By way of example, in Singapore, designated owners of critical information infrastructure are required to report a significant cybersecurity incident within two hours of discovery. The short timeline, which runs from the time of discovery, does not give an organisation much time to come to a decision. Organisations should therefore be fully up-to-date on the reporting obligations in the various countries in which they operate, and determine in advance which (if any) data privacy legislation (including the GDPR) may require incident reporting as well as the applicable reporting thresholds.
Reporting of data breaches is a requirement which is still being developed in many countries and even if there are no mandatory reporting requirements, it may be prudent for an organisation to notify its regulator(s).
Lesson 3: What to tell the media and customers
Depending on the scale of the incident and the jurisdictions involved, it may be advisable to engage a professional PR firm to assist in managing the media interest — there may be circumstances where it is preferable to remain reactive, rather than proactive, at least at an early stage. A properly drafted media statement will enable ToyzForKidz to manage the narrative once the story goes to press and ensure that “lines-to-take” are consistent.
Some jurisdictions require organisations to contact affected individuals as soon as possible while other jurisdictions may have no such requirement. When and how individuals are notified can determine not only the organisation’s liability with respect to the regulators, but also liability in relation to the affected individuals. In most cases, it will be preferable to contact customers proactively as soon as possible, informing them of which personal details may have been released and advising them immediately to change their password for the site and for any other sites they log in to regularly, and to cancel their credit cards if necessary.
If customers cannot be contacted individually, announcements may need to be made to the public. Updates should be issued at regular intervals as more facts about the severity of the situation come to light, while trying not to worry customers unnecessarily or overload them with notifications.
The tone of the message going to the media and customers will need to be adjusted depending on whether the cyber attack has already been widely reported in the news media. Statements should be factual and honest. Blanket denials should be avoided and any temptation to bury bad news should be firmly resisted. All external communications should be approved by the legal team.
Lesson 4: What to tell employees
Communication should also take place with employees on an appropriately open and transparent basis. ToyzForKidz should provide instructions to employees on how to respond if they are contacted by customers (or any other third parties such as the media) about the incident — in most cases they should be directed to the company’s communications department or the PR firm engaged.
Some employees may fear for their jobs, wondering if they might have done something that let the door open for hackers to enter. It may be necessary to carry out a full investigation and the possibility of disciplinary sanctions cannot be ruled out at this stage. HR should be involved in devising the necessary internal communications.
Lesson 5: Ransom — to pay or not to pay?
It may be tempting for ToyzForKidz to simply pay off the attackers in the hope that this will quickly restore operations. But there are other issues to consider.
Firstly, there is no guarantee that one will recover the compromised data and regain access to the systems affected. Secondly, and more importantly, one may be committing a criminal offence in some jurisdictions by doing so. Legal advice should be sought; and companies may decide to inform law enforcement agencies if only to obtain additional assistance in investigating or remediating the breach. In such circumstances, calling in security professionals may be the best course of action to regain access and controls over the company’s systems.
Lesson 6: Follow-on litigation
The fact of the breach may have left ToyzForKidz at risk of claims from customers and suppliers, if a court eventually takes the view that the company has been negligent in looking after customers’ personal data. The legal department will need to review existing contracts carefully to ascertain whether notification is also required to third-party suppliers.
In some jurisdictions, there is legislation preventing the admission of an apology by one party as evidence of admission in civil proceedings.
With retail customers, the risk lies in a class-action lawsuit. Depending on the jurisdiction, private actions may be brought by affected individuals, whether in the form of representative actions or otherwise.
Lesson 7: Involve legal counsel
Legal counsel have a critical role to play. Here, Jason, the CEO, correctly involved Julia in the decision-making process for responding to the attack.
A cyber attack is not simply an IT issue. Legal counsel should be involved early on to advise on the regulatory obligations that may apply, potential legal liabilities and how best to mitigate the organisation’s potential liability. This may include advising on issues such as cloaking the correspondence and findings with privilege (where appropriate), and the evidence that may be required for defending claims from those affected or prosecuting claims against the perpetrator. Furthermore, given the cross-border nature of most cyber security incidents, it is important to seek advice from counsel who have the necessary geographical coverage and expertise. Depending on the severity and scale of the attack, external counsel may need to get involved. If so, external counsel should be involved in the organisation’s cyber resilience planning as familiarity with the incident response plan will help expedite the incident response.
With proper preparation and planning, a Monday morning scare such as this need not get out of hand. Specialist external counsel with the right mix of global experience, can play a key part in helping organisations prepare for the worst, setting out a clear path for organisations to follow when disaster strikes.
Clifford Chance’s global cybersecurity team advises organisations on local and cross-border cyber incident response and risk transfer solutions. They regularly offer guidance on cybersecurity requirements in key jurisdictions in APAC including the PRC, Singapore, Hong Kong and Australia. With more than 30 offices globally, the team’s capabilities stretch beyond Asia and frequently advise on incidents which concurrently impact locations in Asia, Europe and the US.