1 / 26

Responding to data breaches

Responding to data breaches. DIFC Outreach Session Dino Wilkinson Partner Norton Rose Fulbright (Middle East) LLP 04/06/13. Agenda. The importance of data security Consequences of breach Role of the DIFC Commissioner of Data Protection Role of the DFSA

neron
Download Presentation

Responding to data breaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Responding to data breaches • DIFC Outreach Session • Dino Wilkinson • Partner • Norton Rose Fulbright (Middle East) LLP • 04/06/13

  2. Agenda • The importance of data security • Consequences of breach • Role of the DIFC Commissioner of Data Protection • Role of the DFSA • Managing a data breach crisis: timeline and key practical steps DIFC Outreach Session June 2013

  3. The importance of data security IMF hit by 'very major' cyber security attack ‎Jun 12, 2011 – The International Monetary Fund says it was targeted by a sophisticated cyber attack earlier this year, causing "a very major breach" of its systems … 'Misfeed' mixes up thousands of Santander customer statements Dec 24, 2010 – Thousands of UK customers of Spanish banking giant Santander received statements on which other customers' information had been printed ... Eight charged in US over $45 million cyber crime on UAE and Oman banks May 10, 2013 – An international crime gang has stolen US$45 million from RAKBank and BankMuscat, in one of the biggest cyber frauds to hit the Middle East. Bank fined £3m for data loss Jul 22, 2009 – The Financial Services Authority has fined HSBC £3m for failing to properly look after its customers' information and private data. DIFC Outreach Session June 2013

  4. Enforcement powers of the DIFC Commissioner of Data Protection • Appointed pursuant to Article 22 of the DIFC Data Protection Law. • Commissioner plays a key role in enforcement of the Law. • Authorisation of sensitive data processing and transfers of personal data outside the DIFC. • The first point of contact for: • data subjects with complaints about processing; • information and guidance; • notification – in the event that a data controller finds itself in breach of the Law. • Commissioner can take appropriate action against those in breach of the Law. DIFC Outreach Session June 2013

  5. Enforcement powers of the DIFC Commissioner of Data Protection • Article 26(1): Commissioner has “such powers, duties and functions as conferred on him under this Law and any Regulation made under this Law”, including: • accessing personal data processed by data controllers/processors • issuing warnings or admonishments and making recommendations to data controllers • imposing fines in the event of non-compliance with its directions • imposing fines for non-compliance with the Law and any Regulations • initiating a claim for compensation on behalf of a data subject before the Court where there has been a material contravention of the Law to the detriment of the data subject • Article 26(4): Commissioner has “power to do whatever he deems necessary, for or in connection with, or reasonably incidental to, the performance of his functions” DIFC Outreach Session June 2013

  6. Failure to comply with DFSA requirements • DFSA enforcement action • Financial penalties? • UK example: July 2009, HSBC fined more than £3 million for the “careless” handling of confidential details of tens of thousands of its customers, when unencrypted CDs holding customers’ details were lost in the post. • UK example: August 2010, the FSA fined Zurich insurance c.£2.3 million for failing to have adequate systems and controls in place resulting in the loss of over 46,000 customers' personal details. DIFC Outreach Session June 2013

  7. Consequences continued: apart from the regulators • Significant costs in senior management time. • Mitigation costs can be very significant (e.g. investigations and root cause analysis; helpline for affected data subjects; legal, PR and IT professionals’ fees; restoration of data). • Reputation and trust damaged. • Loss of business. DIFC Outreach Session June 2013

  8. Data breach crisis – four key stages • Stage 1 Contain breach, initial assessment • Stage 2 Evaluate seriousness/risk level/potential prejudice the breach represents • Stage 3 Consider notifications, and implement if appropriate, mitigate risk to data subjects • Stage 4 Remedial steps taken to prevent future breaches DIFC Outreach Session June 2013

  9. Data breach timeline* Remedial work continues Rights enforced, etc Day 0 Breach Day + [75?] Breach discovered Commissioner/ regulators deliverfinal opinion/sanctions * Timings are approximate only DIFC Outreach Session June 2013

  10. Timeline: Breach Day, +1 • Day of Breach • BD +1 am: • External legal advisers appointed • Customer services notified by customer of breach • In-house compliance, legal and IT functions all notified • External IT security specialists instructed • IT takes immediate action to secure the data – note decision on forensics required Day of Breach Breach Day (BD) +1 • External PR and Communications advisors instructed • Insurance pm: • Initial estimate suggests that data relating to over [X] data subjects have been released. • In-house legal/compliance contacts external counsel • Preliminary assessment begins DIFC Outreach Session June 2013

  11. Key preliminary issues to consider • Insurance • Are you covered? Look at liability insurance policies: civil liability insurance, directors and officers liability insurance, pension trustee liability insurance, or specific data breach/cyber risks insurance. • What is covered? Mitigation costs could be substantial for a significant data breach; also defence costs, investigation costs, PR costs. • Practical steps: notify insurer, do not incur claim-related costs without consent, do not prejudice insurer’s rights/admit liability/settle claim. • Forensics • Initial breach containment and investigation steps can delete/degrade the forensic record. • If securing evidence around breach is important (e.g. suspicion of data theft, need to identify individuals responsible/involved, need evidence of failures by third party suppliers/processors) then immediate decision needs to be taken as to whether forensic imaging should be conducted. DIFC Outreach Session June 2013

  12. Mitigation step plan • Response Team to agree and implement the Mitigation Step Plan: • Ensure breach is contained. • Initial assessment of risk and damage. • Assessment of regulator notification obligations. • Initial notifications to be made. • Further investigation to understand fully the extent, causes and implications of the breach. • Assessment of whether to notify data subjects; and if so, how? • Implement subject notification, putting in place systems to manage data subject response, and relevant assistance to subjects, such as credit check services. DIFC Outreach Session June 2013

  13. Notifications: DIFC Commissioner of Data Protection • Article 16(4), DIFC Data Protection Law: “In the event of an unauthorised intrusion, either physical, electronic or otherwise, to any Personal Data database, the Data Controller or the Data Processor carrying out the Data Controller’s function at the time of the intrusion, shall inform the Commissioner of Data Protection of the incident as soon as reasonably practicable.” • Other breaches resulting in loss, breach or compromise of personal data – no legal obligation in DIFC law to report but Commissioner recommends notification depending on detriment to data subjects. • Key factors to consider for notifying party: • Harm to data subjects (including emotional distress, physical/financial damage) • Volume of data • Sensitivity of data • What view will the Commissioner take if not notified at the outset? DIFC Outreach Session June 2013

  14. Notifications: DIFC Commissioner of Data Protection • What if a breach is reported to the Commissioner? • Commissioner considers: • nature of breach; • seriousness of the breach; and • adequacy of any remedial action, before determining the appropriate course of action. • Possible courses of action: • record the breach and take no further action; or • investigate the circumstances of the breach and any remedial action, which could lead to: • no further action; • requirement for data controller to undertake a course of action to prevent future breaches; or • formal enforcement action turning such requirement into a legal obligation. DIFC Outreach Session June 2013

  15. Notifications: DFSA • Need to consider other relevant notifications, for example: • DFSA – DFSA Rulebook – GEN 11.10: Notifications An Authorised Person must advise the DFSA immediately if it becomes aware, or has reasonable grounds to believe, that any of the following matters may have occurred or may be about to occur: • any matter which could have a significant adverse effect on the Authorised Person’s reputation • A breach by the Authorised Person or any of its Employees of any requirement imposed by any applicable law by the Authorised Person or any of its Employees • any significant failure in the Authorised Person’s systems or controls, including a failure reported to the Authorised Person by the firm’s auditor DIFC Outreach Session June 2013

  16. Notifications: other bodies • Police If criminal offence suspected • International bodies/regulators If firm is regulated elsewhere or breach relates to overseas data subjects • Banks, credit card companies, credit reference agencies If would help to prevent fraud DIFC Outreach Session June 2013

  17. Notifications: to data subjects • In the UAE, no mandatory notification obligations • Consider potential prejudice to the data subject. • Would notifying data subjects mitigate against risks to the data subject caused by the breach? • UK FSA provides useful guidance about when individuals should be notified of security breaches involving financial information – ‘April 2008 Data Security in Financial Services’: “When customer data is lost, consumers that are affected have a right to know the enhanced personal risk they face so they can take adequate precautions. Even if there is no evidence of theft or fraud, it is good practice for firms to inform affected customers of a data loss in writing, unless the data is encrypted or there is law enforcement or regulatory advice to the contrary. Firms should consider telling affected consumers exactly what data has been lost, give them an assessment of the risk and give advice and assistance to consumers at a heightened risk of identity fraud.” • Notification: non alarming; under control; practical steps to mitigate risk (notify banks/other relevant entities); number to contact if enquiries (get ready for the enquiries) will you offer compensation? DIFC Outreach Session June 2013

  18. Timeline: Week 1 • BD + 2 to 4 • PR plan formulated and draft statement prepared. • IT security specialists verify that all data is now secure and check all systems for ongoing security. • Preliminary risk assessment completed. • Assessment made as to whether data subjects should be notified, and how to notify. • BD + 7 • Regulator acknowledges firm’s self-reported breach. • A potential new third party service provider is identified and IT specialists perform due diligence. BD + 2 + 3 + 4 + 5 + 6 + 7 + 8 • BD + 5 to 6 • Source of the leak is notified, reservation of rights. • Team assesses how data subjects will be handled (helplines; points of contact; assistance required - credit check services for example). • Team prepare first draft notification letter to be sent to affected data subjects. Insurer given notice and opportunity to comment. • BD + 8 • Results of initial investigation are made available and confirm the total amount of data released and other basic facts. • Commissioner and other applicable regulators updated. • Insurers updated. DIFC Outreach Session June 2013

  19. Timeline: Week 2 • Credit check provider appointed, contract agreed. • Helpline provider appointed, contracts agreed. • Internal resources including IT services to handle subject contact set up. Intense period begins handling data subjects queries/complaints. Company stress tests helpline/other services in advance of notification. Data subject notifications dispatched. BD + 9 + 10 + 11 + 12 + 13 + 14 + 15 • Helpline operatives briefed by PR team. • Internal helpline staff briefed. • Subject notification letters finalised. • Internal processes of logging calls/complaints and actioning requests formulated and agreed. Updated report sent to Commissioner. DIFC Outreach Session June 2013

  20. + 16 +17 +18 +19 +20 +21 +22 +23 +24 +25 +26 +27 +28 +29 Timeline: Weeks 3 and 4 Commissioner sends initial comments on breach seeking further information. Full root and branch investigation commenced, to include reporting on details of breach, IT/forensic record, how breach occurred, security measures in place, shortcomings and weaknesses. Recommendations for remedial measures. DIFC Outreach Session June 2013

  21. Timeline: Week 4+ • Company implements decision • Improve data security processes and otherwise continuing implementation of corrective measures • Seek redress against third parties in breach of contract etc Commisioner issues decision, including fines, sanctions, undertakings, corrective steps required, etc • Breach Day +40 • Full response provided to Commissioner, full explanation of breach and mitigation steps taken, details of any subjects suffering harm, details of complaints received, etc. • Implementation of corrective measures. DIFC Outreach Session June 2013

  22. Investigating and reporting • Communication channels need to be controlled. • Investigation and reporting will be done by various professionals. • Consider at all times the issue of legal advice privilege, and the extent that it can reasonably attach to work product. • Clear separation between IT technical investigation/reporting and any form of legal risk analysis, or even comment on breach of law/regulation. DIFC Outreach Session June 2013

  23. Not ‘if’ but ‘when’ and ‘how bad’: breach readiness • Part 1: prevention is better than cure… • IT security audit – are you up to date with all appropriate security measures? • Physical security audit. • Audit data processors/service providers to ensure: • security measures are appropriate; • contractual terms (including data protection clauses) appropriate. • Employees properly trained (and screened). • Policies and procedures up to date and appropriate. DIFC Outreach Session June 2013

  24. Not ‘if’ but ‘when’ and ‘how bad’: breach readiness • Part 2: rapid response/crisis readiness • Data breach crisis management team (internal and external) pre-appointed and trained. • Develop a breach response plan, including emergency numbers for team etc. • Have a pre-agreed position on when forensic investigation will be used. • Insurance: consider whether you have coverage; whether you need coverage; what the specific coverage is; how it impacts response. • Understand what your organisation can cope with itself, what needs to be outsourced, and who you will outsource to. DIFC Outreach Session June 2013

  25. Disclaimer • Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members (“the Norton Rose Fulbright members”) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients. • References to “Norton Rose Fulbright”, “the law firm”, and “legal practice” are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together “Norton Rose Fulbright entity/entities”). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a “partner”) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. • The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. DIFC Outreach Session June 2013

More Related