Responding to data breaches (Jun13)

advertisement
Responding to data breaches
DIFC Outreach Session
Dino Wilkinson
Partner
Norton Rose Fulbright (Middle East) LLP
04/06/13
Agenda





2
The importance of data security
Consequences of breach
Role of the DIFC Commissioner of Data Protection
Role of the DFSA
Managing a data breach crisis: timeline and key practical steps
DIFC Outreach Session June 2013
The importance of data security
'Misfeed' mixes up thousands of
Santander customer statements
Dec 24, 2010 – Thousands of UK customers of
Spanish banking giant Santander received statements
on which other customers' information had been
printed ...
Eight charged in US over
$45 million cyber crime
on UAE and Oman banks
May 10, 2013 – An international crime
gang has stolen US$45 million from
RAKBank and BankMuscat, in one of the
biggest cyber frauds to hit the Middle
East.
3
DIFC Outreach Session June 2013
IMF hit by 'very
major' cyber
security attack
Jun 12, 2011 – The International
Monetary Fund says it was
targeted by a sophisticated cyber
attack earlier this year, causing "a
very major breach" of its systems
…
Bank fined £3m for data loss
Jul 22, 2009 – The Financial Services
Authority has fined HSBC £3m for failing to
properly look after its customers' information
and private data.
Enforcement powers of the DIFC Commissioner of
Data Protection
• Appointed pursuant to Article 22 of the DIFC Data Protection Law.
• Commissioner plays a key role in enforcement of the Law.
• Authorisation of sensitive data processing and transfers of
personal data outside the DIFC.
• The first point of contact for:
– data subjects with complaints about processing;
– information and guidance;
– notification – in the event that a data controller finds itself in breach of the Law.
• Commissioner can take appropriate action against those in breach
of the Law.
4
DIFC Outreach Session June 2013
Enforcement powers of the DIFC Commissioner of
Data Protection
• Article 26(1): Commissioner has “such powers, duties and
functions as conferred on him under this Law and any Regulation
made under this Law”, including:
– accessing personal data processed by data controllers/processors
– issuing warnings or admonishments and making recommendations to data
controllers
– imposing fines in the event of non-compliance with its directions
– imposing fines for non-compliance with the Law and any Regulations
– initiating a claim for compensation on behalf of a data subject before the Court
where there has been a material contravention of the Law to the detriment of
the data subject
• Article 26(4): Commissioner has “power to do whatever he deems
necessary, for or in connection with, or reasonably incidental to,
the performance of his functions”
5
DIFC Outreach Session June 2013
Failure to comply with DFSA requirements
• DFSA enforcement action
• Financial penalties?
– UK example: July 2009, HSBC fined more than £3 million for the “careless”
handling of confidential details of tens of thousands of its customers, when
unencrypted CDs holding customers’ details were lost in the post.
– UK example: August 2010, the FSA fined Zurich insurance c.£2.3 million for
failing to have adequate systems and controls in place resulting in the loss of
over 46,000 customers' personal details.
6
DIFC Outreach Session June 2013
Consequences continued: apart from the regulators
• Significant costs in senior management time.
• Mitigation costs can be very significant (e.g. investigations and
root cause analysis; helpline for affected data subjects; legal, PR
and IT professionals’ fees; restoration of data).
• Reputation and trust damaged.
• Loss of business.
7
DIFC Outreach Session June 2013
Data breach crisis – four key stages
• Stage 1
Contain breach, initial assessment
• Stage 2
Evaluate seriousness/risk level/potential prejudice
the breach represents
• Stage 3
Consider notifications, and implement if appropriate,
mitigate risk to data subjects
• Stage 4
Remedial steps taken to prevent future breaches
8
DIFC Outreach Session June 2013
Data breach timeline*
Remedial work continues
Day 0
Breach discovered
Breach Day +
[75?]
Rights enforced, etc
Commissioner/
regulators deliver
final opinion/sanctions
* Timings are approximate only
9
DIFC Outreach Session June 2013
Timeline: Breach Day, +1
Day of Breach
BD +1
am:
• External legal advisers
appointed
• Customer services notified
by customer of breach
• In-house compliance, legal
and IT functions all notified
• IT takes immediate
action to secure the data
– note decision on
forensics required
• Insurance
pm:
• Initial estimate suggests
that data relating to over
[X] data subjects have
been released.
• In-house
legal/compliance contacts
external counsel
• Preliminary assessment
begins
10 DIFC Outreach Session June 2013
• External IT security
specialists instructed
Day of Breach
Breach Day
(BD) +1
• External PR and
Communications advisors
instructed
Key preliminary issues to consider
• Insurance
– Are you covered? Look at liability insurance policies: civil liability insurance,
directors and officers liability insurance, pension trustee liability insurance, or
specific data breach/cyber risks insurance.
– What is covered? Mitigation costs could be substantial for a significant data
breach; also defence costs, investigation costs, PR costs.
– Practical steps: notify insurer, do not incur claim-related costs without consent,
do not prejudice insurer’s rights/admit liability/settle claim.
• Forensics
– Initial breach containment and investigation steps can delete/degrade the
forensic record.
– If securing evidence around breach is important (e.g. suspicion of data theft,
need to identify individuals responsible/involved, need evidence of failures by
third party suppliers/processors) then immediate decision needs to be taken as
to whether forensic imaging should be conducted.
11 DIFC Outreach Session June 2013
Mitigation step plan
• Response Team to agree and implement the Mitigation Step Plan:
– Ensure breach is contained.
– Initial assessment of risk and damage.
– Assessment of regulator notification obligations.
– Initial notifications to be made.
– Further investigation to understand fully the extent, causes and implications of
the breach.
– Assessment of whether to notify data subjects; and if so, how?
– Implement subject notification, putting in place systems to manage data subject
response, and relevant assistance to subjects, such as credit check services.
12 DIFC Outreach Session June 2013
Notifications: DIFC Commissioner of Data Protection
• Article 16(4), DIFC Data Protection Law:
“In the event of an unauthorised intrusion, either physical, electronic or
otherwise, to any Personal Data database, the Data Controller or the Data
Processor carrying out the Data Controller’s function at the time of the intrusion,
shall inform the Commissioner of Data Protection of the incident as soon as
reasonably practicable.”
• Other breaches resulting in loss, breach or compromise of
personal data – no legal obligation in DIFC law to report but
Commissioner recommends notification depending on detriment to
data subjects.
• Key factors to consider for notifying party:
– Harm to data subjects (including emotional distress, physical/financial damage)
– Volume of data
– Sensitivity of data
– What view will the Commissioner take if not notified at the outset?
13 DIFC Outreach Session June 2013
Notifications: DIFC Commissioner of Data Protection
•
What if a breach is reported to the Commissioner?
–
•
Commissioner considers:
(i) nature of breach;
(ii) seriousness of the breach; and
(iii) adequacy of any remedial action,
before determining the appropriate course of action.
Possible courses of action:
–
–
record the breach and take no further action; or
investigate the circumstances of the breach and any remedial action, which
could lead to:
(i) no further action;
(ii) requirement for data controller to undertake a course of action to prevent
future breaches; or
(iii) formal enforcement action turning such requirement into a legal obligation.
14 DIFC Outreach Session June 2013
Notifications: DFSA
• Need to consider other relevant notifications, for
example:
– DFSA – DFSA Rulebook – GEN 11.10: Notifications
An Authorised Person must advise the DFSA immediately if it becomes
aware, or has reasonable grounds to believe, that any of the following
matters may have occurred or may be about to occur:
– any matter which could have a significant adverse effect on the
Authorised Person’s reputation
– A breach by the Authorised Person or any of its Employees of any
requirement imposed by any applicable law by the Authorised Person or
any of its Employees
– any significant failure in the Authorised Person’s systems or controls,
including a failure reported to the Authorised Person by the firm’s
auditor
15 DIFC Outreach Session June 2013
Notifications: other bodies
• Police
If criminal offence suspected
• International bodies/regulators
If firm is regulated elsewhere or breach relates to overseas data subjects
• Banks, credit card companies, credit reference agencies
If would help to prevent fraud
16 DIFC Outreach Session June 2013
Notifications: to data subjects
• In the UAE, no mandatory notification obligations
– Consider potential prejudice to the data subject.
– Would notifying data subjects mitigate against risks to the data subject caused
by the breach?
– UK FSA provides useful guidance about when individuals should be notified of
security breaches involving financial information – ‘April 2008 Data Security in
Financial Services’:
“When customer data is lost, consumers that are affected have a right to
know the enhanced personal risk they face so they can take adequate
precautions. Even if there is no evidence of theft or fraud, it is good practice
for firms to inform affected customers of a data loss in writing, unless the data
is encrypted or there is law enforcement or regulatory advice to the contrary.
Firms should consider telling affected consumers exactly what data has been
lost, give them an assessment of the risk and give advice and assistance to
consumers at a heightened risk of identity fraud.”
• Notification: non alarming; under control; practical steps to
mitigate risk (notify banks/other relevant entities); number to
contact if enquiries (get ready for the enquiries) will you offer
compensation?
17 DIFC Outreach Session June 2013
Timeline: Week 1
BD + 2 to 4
• PR plan formulated and draft statement prepared.
BD + 7
• IT security specialists verify that all data is now secure
and check all systems for ongoing security.
• Regulator acknowledges firm’s self-reported breach.
• Preliminary risk assessment completed.
• A potential new third party service provider is identified and IT
specialists perform due diligence.
• Assessment made as to whether data subjects should
be notified, and how to notify.
BD + 2
+3
+4
+5
+ 6
+7
+8
BD + 5 to 6
BD + 8
• Source of the leak is notified, reservation of rights.
• Team assesses how data subjects will be handled
(helplines; points of contact; assistance required credit check services for example).
• Results of initial investigation are made available and
confirm the total amount of data released and other
basic facts.
• Commissioner and other applicable regulators updated.
• Team prepare first draft notification letter to be sent
to affected data subjects. Insurer given notice and
opportunity to comment.
18 DIFC Outreach Session June 2013
• Insurers updated.
Timeline: Week 2
• Credit check provider appointed,
contract agreed.
• Helpline provider appointed,
contracts agreed.
• Internal resources including IT
services to handle subject
contact set up.
BD + 9
+ 10
• Helpline operatives briefed by PR
team.
• Internal helpline staff briefed.
• Subject notification letters finalised.
• Internal processes of logging
calls/complaints and actioning
requests formulated and agreed.
19 DIFC Outreach Session June 2013
Intense period
begins handling data
subjects
queries/complaints.
Company stress
tests
helpline/other
services in
advance of
notification.
+ 11
Data subject notifications
dispatched.
+ 12
+ 13
+ 14
Updated report sent to
Commissioner.
+ 15
Timeline: Weeks 3 and 4
Commissioner sends initial comments
on breach seeking further information.
+ 16
+17
+18
+19
Full root and branch investigation
commenced, to include reporting on
details of breach, IT/forensic record,
how breach occurred, security
measures in place, shortcomings and
weaknesses. Recommendations for
remedial measures.
20 DIFC Outreach Session June 2013
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
Timeline: Week 4+
• Company implements decision
• Improve data security processes and otherwise
continuing implementation of corrective measures
• Seek redress against third parties in breach of
contract etc
Breach Day +40
• Full response provided to
Commissioner, full
explanation of breach and
mitigation steps taken, details
of any subjects suffering
harm, details of complaints
received, etc.
• Implementation of corrective
measures.
21 DIFC Outreach Session June 2013
Commisioner issues decision, including
fines, sanctions, undertakings, corrective
steps required, etc
Investigating and reporting
• Communication channels need to be controlled.
• Investigation and reporting will be done by various professionals.
• Consider at all times the issue of legal advice privilege, and the
extent that it can reasonably attach to work product.
• Clear separation between IT technical investigation/reporting and
any form of legal risk analysis, or even comment on breach of
law/regulation.
22 DIFC Outreach Session June 2013
Not ‘if’ but ‘when’ and ‘how bad’: breach readiness
• Part 1: prevention is better
than cure…
– IT security audit – are you up to date
with all appropriate security
measures?
– Physical security audit.
– Audit data processors/service
providers to ensure:
– security measures are appropriate;
– contractual terms (including data
protection clauses) appropriate.
– Employees properly trained (and
screened).
– Policies and procedures up to date
and appropriate.
23 DIFC Outreach Session June 2013
Not ‘if’ but ‘when’ and ‘how bad’: breach readiness
• Part 2: rapid response/crisis
readiness
– Data breach crisis management
team (internal and external) preappointed and trained.
– Develop a breach response plan,
including emergency numbers for
team etc.
– Have a pre-agreed position on when
forensic investigation will be used.
– Insurance: consider whether you
have coverage; whether you need
coverage; what the specific coverage
is; how it impacts response.
– Understand what your organisation
can cope with itself, what needs to
be outsourced, and who you will
outsource to.
24 DIFC Outreach Session June 2013
Disclaimer
Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright &
Jaworski LLP, each of which is a separate legal entity, are members (“the Norton Rose Fulbright members”) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright
Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.
References to “Norton Rose Fulbright”, “the law firm”, and “legal practice” are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together “Norton
Rose Fulbright entity/entities”). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such
individual is described as a “partner”) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a
member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton
Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information,
please speak to your usual contact at Norton Rose Fulbright.
26 DIFC Outreach Session June 2013
Download