Responding to a data theft incident
You’ve just heard that a former employee may have hacked your IT system and taken some confidential data – what do you do next?
When most people contemplate a cyber-attack on their company’s IT system, they immediately think about external threats (for example, the unknown hacker out to steal bank details or hold your data to ransom). However, a very real cyber threat is an internal one – namely the threat posed by a company’s own workforce, be that as a result of some negligent action on the part of an existing employee, or the deliberate action of a departing employee who may be working their notice period. Your systems may also be vulnerable to former employees who are no longer actually working within the business, but who retain the knowledge and means to gain entry to your network.
Either way, it is crucial to prepare for the worst and to have an easily accessible response plan in place that will help you to respond to any data theft incident. Such a plan can provide much-needed clarity at a time of panic and crisis.
Key points to cover in an incident response plan include:
- Who should you alert and when?
- What actions should be taken and what is the order of priority?
- How can you mitigate any damage?
Turning to address each of these points in more detail.
Who do you alert?
Timing can be crucial when it comes to managing the risks posed by a cyber incident and seeking to keep control of the situation. The right people need to be notified and engaged as soon as possible.
Each business will be different, with its own organisational structure and reporting lines. Precisely which individuals need to be engaged will depend to a large extent on the structure in place and what type of incident you are dealing with. However, when dealing with a data theft incident, typical individuals to notify may include:
- Senior decision-makers (such as the chief executive and other key board members);
- IT staff (both internal staff and external providers);
- Legal providers/law enforcement – in the UK you can report any cyber related incident to Action Fraud, the national reporting centre for fraud and cyber crime. You might also engage a solicitor in order to help manage any investigation under the protection of legal professional privilege, to prevent misuse and to recover your losses;
- Any relevant regulators, such as the Information Commissioner's Office (ICO) and any sector specific regulators; and
- HR / PR staff to help manage communications, be that internal or (if necessary) external.
Considering in advance who needs to be contacted and when, and having their contact details to hand, can be extremely helpful when time is pressing and there are numerous competing priorities to contend with.
Crucially, where personal data is concerned, the General Data Protection Regulation (GDPR) may require you to notify the ICO within 72 hours of becoming aware of any breach. You may also be obliged to inform any affected individuals directly.
Failure to comply with the provisions of GDPR can lead to significant fines, so any reporting obligations should be carefully observed.
What actions should you take after the incident takes place?
The next step may seem obvious, but once you have assembled your response team you need to start an urgent investigation into precisely what has happened. It is only once you understand what you are dealing with that you can plan your response accordingly and regain control of the situation.
For example, do you understand what type of attack has occurred? Is it the case that a trusted employee has attempted to misappropriate your confidential and commercially sensitive information for their own commercial gain, or has a disgruntled former employee somehow gained access to your network and taken sensitive data relating to your workforce, which he or she plans to release into the public domain or use for their own purposes? How did this occur and how were technical safeguards and process controls bypassed? Are there broader implications of confidential data being stolen, for example an elevated risk of fraud to your customers?
Whatever has happened, it will often be crucial to get expert technical assistance as a matter of urgency. It is often necessary to involve your own IT department in this exercise, but you should also consider specialist external support as well. This will help to:
- Work out what you are dealing with and how it was caused
- Preserve evidence in a forensically sound manner from relevant devices, enterprise systems, cloud services and backups, including raw unstructured data, log data, and metadata (which is essentially data about data)
- Reveal the culprit’s identity and the activities leading up to the incident, including the potential scope and magnitude of the breach
- Assess whose data has been breached and any categories of sensitive personal data that may have been present
- Rebuild your defences, so that preventative measures can be put in place to protect against immediate damage and loss as well as similar incidents in the future.
What steps do you need to take to mitigate damage?
Depending on precisely how your IT systems have been compromised, your IT department or external provider should be able to help you to perform any immediate containment activities to limit the breach and to reduce the risk of ongoing impact. They can also help to identify and secure vulnerable endpoints, restore or rebuild affected systems, and improve your security controls to guard against future attacks.
Once you have notified the relevant people and launched an investigation, the next step is to set about managing communications, both internally if necessary (e.g. with staff) and also externally (e.g. with the ICO, any affected individuals and even the media). A highly publicised cyber incident has the ability to create long-lasting damage in the form of negative press, reduced customer confidence and loss of future business opportunities. Managing the flow of communications proactively and sensitively can therefore help to limit that damage and prevent a potential PR nightmare.
If a data breach report to the ICO is necessary, you should also be prepared for an ongoing dialogue. You will be expected to be able to justify your actions and to explain how you are dealing with the situation.
You should also consider whether any civil remedies can be used to protect your business even further and to secure possible compensation. For example:
- Where your confidential information had been taken by someone identifiable (e.g. a former employee), it is often possible to apply to court for urgent interim relief, which can secure the delivery up of any misappropriated data and/or restrain any continued misuse; and
- It might also be possible to hold any liable parties to account, for example a third party technical consultant who had contractual duties to keep your data safe and secure.
Engaging lawyers as part of your response plan will help to ensure that any such remedies are discussed and, if available, secured. It should be noted that where interim relief through the courts is concerned, time can be of the essence and the sooner you are able to mobilise with the necessary application to court, the better. This also prevents any wrongdoer from adding insult to injury by relying on their employment rights or making their own claim, as well as denying liability for their actions.
Plan your response
As noted at the outset of this article, it is important to have a well-documented response plan in place before any cyber incident happens. The better prepared you are for when an incident does occur, the quicker you will be able to respond and limit any damage sustained.