Responding to data breaches DIFC Outreach Session Dino Wilkinson Partner Norton Rose Fulbright (Middle East) LLP 04/06/13 Agenda 2 The importance of data security Consequences of breach Role of the DIFC Commissioner of Data Protection Role of the DFSA Managing a data breach crisis: timeline and key practical steps DIFC Outreach Session June 2013 The importance of data security 'Misfeed' mixes up thousands of Santander customer statements Dec 24, 2010 – Thousands of UK customers of Spanish banking giant Santander received statements on which other customers' information had been printed ... Eight charged in US over $45 million cyber crime on UAE and Oman banks May 10, 2013 – An international crime gang has stolen US$45 million from RAKBank and BankMuscat, in one of the biggest cyber frauds to hit the Middle East. 3 DIFC Outreach Session June 2013 IMF hit by 'very major' cyber security attack Jun 12, 2011 – The International Monetary Fund says it was targeted by a sophisticated cyber attack earlier this year, causing "a very major breach" of its systems … Bank fined £3m for data loss Jul 22, 2009 – The Financial Services Authority has fined HSBC £3m for failing to properly look after its customers' information and private data. Enforcement powers of the DIFC Commissioner of Data Protection • Appointed pursuant to Article 22 of the DIFC Data Protection Law. • Commissioner plays a key role in enforcement of the Law. • Authorisation of sensitive data processing and transfers of personal data outside the DIFC. • The first point of contact for: – data subjects with complaints about processing; – information and guidance; – notification – in the event that a data controller finds itself in breach of the Law. • Commissioner can take appropriate action against those in breach of the Law. 4 DIFC Outreach Session June 2013 Enforcement powers of the DIFC Commissioner of Data Protection • Article 26(1): Commissioner has “such powers, duties and functions as conferred on him under this Law and any Regulation made under this Law”, including: – accessing personal data processed by data controllers/processors – issuing warnings or admonishments and making recommendations to data controllers – imposing fines in the event of non-compliance with its directions – imposing fines for non-compliance with the Law and any Regulations – initiating a claim for compensation on behalf of a data subject before the Court where there has been a material contravention of the Law to the detriment of the data subject • Article 26(4): Commissioner has “power to do whatever he deems necessary, for or in connection with, or reasonably incidental to, the performance of his functions” 5 DIFC Outreach Session June 2013 Failure to comply with DFSA requirements • DFSA enforcement action • Financial penalties? – UK example: July 2009, HSBC fined more than £3 million for the “careless” handling of confidential details of tens of thousands of its customers, when unencrypted CDs holding customers’ details were lost in the post. – UK example: August 2010, the FSA fined Zurich insurance c.£2.3 million for failing to have adequate systems and controls in place resulting in the loss of over 46,000 customers' personal details. 6 DIFC Outreach Session June 2013 Consequences continued: apart from the regulators • Significant costs in senior management time. • Mitigation costs can be very significant (e.g. investigations and root cause analysis; helpline for affected data subjects; legal, PR and IT professionals’ fees; restoration of data). • Reputation and trust damaged. • Loss of business. 7 DIFC Outreach Session June 2013 Data breach crisis – four key stages • Stage 1 Contain breach, initial assessment • Stage 2 Evaluate seriousness/risk level/potential prejudice the breach represents • Stage 3 Consider notifications, and implement if appropriate, mitigate risk to data subjects • Stage 4 Remedial steps taken to prevent future breaches 8 DIFC Outreach Session June 2013 Data breach timeline* Remedial work continues Day 0 Breach discovered Breach Day + [75?] Rights enforced, etc Commissioner/ regulators deliver final opinion/sanctions * Timings are approximate only 9 DIFC Outreach Session June 2013 Timeline: Breach Day, +1 Day of Breach BD +1 am: • External legal advisers appointed • Customer services notified by customer of breach • In-house compliance, legal and IT functions all notified • IT takes immediate action to secure the data – note decision on forensics required • Insurance pm: • Initial estimate suggests that data relating to over [X] data subjects have been released. • In-house legal/compliance contacts external counsel • Preliminary assessment begins 10 DIFC Outreach Session June 2013 • External IT security specialists instructed Day of Breach Breach Day (BD) +1 • External PR and Communications advisors instructed Key preliminary issues to consider • Insurance – Are you covered? Look at liability insurance policies: civil liability insurance, directors and officers liability insurance, pension trustee liability insurance, or specific data breach/cyber risks insurance. – What is covered? Mitigation costs could be substantial for a significant data breach; also defence costs, investigation costs, PR costs. – Practical steps: notify insurer, do not incur claim-related costs without consent, do not prejudice insurer’s rights/admit liability/settle claim. • Forensics – Initial breach containment and investigation steps can delete/degrade the forensic record. – If securing evidence around breach is important (e.g. suspicion of data theft, need to identify individuals responsible/involved, need evidence of failures by third party suppliers/processors) then immediate decision needs to be taken as to whether forensic imaging should be conducted. 11 DIFC Outreach Session June 2013 Mitigation step plan • Response Team to agree and implement the Mitigation Step Plan: – Ensure breach is contained. – Initial assessment of risk and damage. – Assessment of regulator notification obligations. – Initial notifications to be made. – Further investigation to understand fully the extent, causes and implications of the breach. – Assessment of whether to notify data subjects; and if so, how? – Implement subject notification, putting in place systems to manage data subject response, and relevant assistance to subjects, such as credit check services. 12 DIFC Outreach Session June 2013 Notifications: DIFC Commissioner of Data Protection • Article 16(4), DIFC Data Protection Law: “In the event of an unauthorised intrusion, either physical, electronic or otherwise, to any Personal Data database, the Data Controller or the Data Processor carrying out the Data Controller’s function at the time of the intrusion, shall inform the Commissioner of Data Protection of the incident as soon as reasonably practicable.” • Other breaches resulting in loss, breach or compromise of personal data – no legal obligation in DIFC law to report but Commissioner recommends notification depending on detriment to data subjects. • Key factors to consider for notifying party: – Harm to data subjects (including emotional distress, physical/financial damage) – Volume of data – Sensitivity of data – What view will the Commissioner take if not notified at the outset? 13 DIFC Outreach Session June 2013 Notifications: DIFC Commissioner of Data Protection • What if a breach is reported to the Commissioner? – • Commissioner considers: (i) nature of breach; (ii) seriousness of the breach; and (iii) adequacy of any remedial action, before determining the appropriate course of action. Possible courses of action: – – record the breach and take no further action; or investigate the circumstances of the breach and any remedial action, which could lead to: (i) no further action; (ii) requirement for data controller to undertake a course of action to prevent future breaches; or (iii) formal enforcement action turning such requirement into a legal obligation. 14 DIFC Outreach Session June 2013 Notifications: DFSA • Need to consider other relevant notifications, for example: – DFSA – DFSA Rulebook – GEN 11.10: Notifications An Authorised Person must advise the DFSA immediately if it becomes aware, or has reasonable grounds to believe, that any of the following matters may have occurred or may be about to occur: – any matter which could have a significant adverse effect on the Authorised Person’s reputation – A breach by the Authorised Person or any of its Employees of any requirement imposed by any applicable law by the Authorised Person or any of its Employees – any significant failure in the Authorised Person’s systems or controls, including a failure reported to the Authorised Person by the firm’s auditor 15 DIFC Outreach Session June 2013 Notifications: other bodies • Police If criminal offence suspected • International bodies/regulators If firm is regulated elsewhere or breach relates to overseas data subjects • Banks, credit card companies, credit reference agencies If would help to prevent fraud 16 DIFC Outreach Session June 2013 Notifications: to data subjects • In the UAE, no mandatory notification obligations – Consider potential prejudice to the data subject. – Would notifying data subjects mitigate against risks to the data subject caused by the breach? – UK FSA provides useful guidance about when individuals should be notified of security breaches involving financial information – ‘April 2008 Data Security in Financial Services’: “When customer data is lost, consumers that are affected have a right to know the enhanced personal risk they face so they can take adequate precautions. Even if there is no evidence of theft or fraud, it is good practice for firms to inform affected customers of a data loss in writing, unless the data is encrypted or there is law enforcement or regulatory advice to the contrary. Firms should consider telling affected consumers exactly what data has been lost, give them an assessment of the risk and give advice and assistance to consumers at a heightened risk of identity fraud.” • Notification: non alarming; under control; practical steps to mitigate risk (notify banks/other relevant entities); number to contact if enquiries (get ready for the enquiries) will you offer compensation? 17 DIFC Outreach Session June 2013 Timeline: Week 1 BD + 2 to 4 • PR plan formulated and draft statement prepared. BD + 7 • IT security specialists verify that all data is now secure and check all systems for ongoing security. • Regulator acknowledges firm’s self-reported breach. • Preliminary risk assessment completed. • A potential new third party service provider is identified and IT specialists perform due diligence. • Assessment made as to whether data subjects should be notified, and how to notify. BD + 2 +3 +4 +5 + 6 +7 +8 BD + 5 to 6 BD + 8 • Source of the leak is notified, reservation of rights. • Team assesses how data subjects will be handled (helplines; points of contact; assistance required credit check services for example). • Results of initial investigation are made available and confirm the total amount of data released and other basic facts. • Commissioner and other applicable regulators updated. • Team prepare first draft notification letter to be sent to affected data subjects. Insurer given notice and opportunity to comment. 18 DIFC Outreach Session June 2013 • Insurers updated. Timeline: Week 2 • Credit check provider appointed, contract agreed. • Helpline provider appointed, contracts agreed. • Internal resources including IT services to handle subject contact set up. BD + 9 + 10 • Helpline operatives briefed by PR team. • Internal helpline staff briefed. • Subject notification letters finalised. • Internal processes of logging calls/complaints and actioning requests formulated and agreed. 19 DIFC Outreach Session June 2013 Intense period begins handling data subjects queries/complaints. Company stress tests helpline/other services in advance of notification. + 11 Data subject notifications dispatched. + 12 + 13 + 14 Updated report sent to Commissioner. + 15 Timeline: Weeks 3 and 4 Commissioner sends initial comments on breach seeking further information. + 16 +17 +18 +19 Full root and branch investigation commenced, to include reporting on details of breach, IT/forensic record, how breach occurred, security measures in place, shortcomings and weaknesses. Recommendations for remedial measures. 20 DIFC Outreach Session June 2013 +20 +21 +22 +23 +24 +25 +26 +27 +28 +29 Timeline: Week 4+ • Company implements decision • Improve data security processes and otherwise continuing implementation of corrective measures • Seek redress against third parties in breach of contract etc Breach Day +40 • Full response provided to Commissioner, full explanation of breach and mitigation steps taken, details of any subjects suffering harm, details of complaints received, etc. • Implementation of corrective measures. 21 DIFC Outreach Session June 2013 Commisioner issues decision, including fines, sanctions, undertakings, corrective steps required, etc Investigating and reporting • Communication channels need to be controlled. • Investigation and reporting will be done by various professionals. • Consider at all times the issue of legal advice privilege, and the extent that it can reasonably attach to work product. • Clear separation between IT technical investigation/reporting and any form of legal risk analysis, or even comment on breach of law/regulation. 22 DIFC Outreach Session June 2013 Not ‘if’ but ‘when’ and ‘how bad’: breach readiness • Part 1: prevention is better than cure… – IT security audit – are you up to date with all appropriate security measures? – Physical security audit. – Audit data processors/service providers to ensure: – security measures are appropriate; – contractual terms (including data protection clauses) appropriate. – Employees properly trained (and screened). – Policies and procedures up to date and appropriate. 23 DIFC Outreach Session June 2013 Not ‘if’ but ‘when’ and ‘how bad’: breach readiness • Part 2: rapid response/crisis readiness – Data breach crisis management team (internal and external) preappointed and trained. – Develop a breach response plan, including emergency numbers for team etc. – Have a pre-agreed position on when forensic investigation will be used. – Insurance: consider whether you have coverage; whether you need coverage; what the specific coverage is; how it impacts response. – Understand what your organisation can cope with itself, what needs to be outsourced, and who you will outsource to. 24 DIFC Outreach Session June 2013 Disclaimer Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members (“the Norton Rose Fulbright members”) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients. References to “Norton Rose Fulbright”, “the law firm”, and “legal practice” are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together “Norton Rose Fulbright entity/entities”). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a “partner”) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 26 DIFC Outreach Session June 2013