Responding to a data breach

May 2021  |  FEATURE  |  RISK MANAGEMENT

Financier Worldwide Magazine

May 2021 Issue


Cyber attacks and data breaches can have a hugely negative impact on brand perception, investor confidence and company valuation. As a result, organisations must put preventative measures in place to mitigate the risks, as well as responsive solutions to limit the impact if they do fall victim.

2020 was another significant year for data breaches. According to RiskBased Security (RBS), there were 3932 publicly reported data breaches last year, compromising over 37 billion records. Though compared to 2019 the number of publicly reported breach incidents decreased by 48 percent, the total number of records compromised increased by 141 percent – by far the most exposed in a single year since RBS reporting began in 2005.

Companies often fall victim to cyber attacks in the form of phishing, brute force attacks and malware. A successful attack may not just expose the records and sensitive data of individuals, but also damage a company’s reputation and bottom line.

According to The Ponemon Institute, in its May 2017 ‘The Impact of Data Breaches in Reputation and Share Value’ study of 113 publicly traded companies that had experienced a data breach involving the loss of customer or consumer data, 71 percent of senior level marketing/communications personnel surveyed agreed that loss of brand value and reputation was the biggest cost, and a top impact, of the breach.

In addition, regulators are increasingly concerned about breach notification and response. Companies are under pressure to keep data safe but also to act quickly and transparently in the event of an incident. A slow, erroneous or non-existent response may result in fines.

Ready to react

Thus, should the worst occur and a company suffer a data breach, it is imperative that a comprehensive response plan is in place to save time and reduce stress. “The two most important aspects of a data breach response plan are built-in flexibility and clearly defined roles with delineated responsible parties’ lines of communication,” says Billee Elliott McAuliffe, a member at Lewis Rice LLC. “Flexibility is important because not all data breaches are the same, from the types and amounts of data disclosed to the sensitivity or impact of the data. Businesses should not respond to every data breach in the same way and the response plan should incorporate flexibility to all aspects of the plan to allow for differences in data breaches.”

Companies are under pressure to keep data safe but also to act quickly and transparently in the event of an incident. A slow, erroneous or non-existent response may result in fines.

But according to Liisa Thomas, privacy and cyber security practice group leader at SheppardMullin, companies may be unclear on when to trigger their incident response plan (IRP). “Determining if a small situation rises to the level of ‘launching the plan’ is not always straightforward,” she suggests. “There are many steps that companies can take to think this through, one of which is the IRP simulation. While it is tempting to run a simulation for a potential ‘big breach’, it can often be more helpful to practice the kick-off – namely, whether or not the company is facing an incident that would require use of the plan.”

Following a breach, there are a number of lessons companies can learn. One is that having strong security structures and assigned personnel means that the company can act promptly and disclose the breach if necessary, which can minimise the long-term effect. “Think of the Uber data breach, the year-long cover up of that breach and the prosecutions that arose thereafter as the worst-case scenario for the failure to not promptly notify individuals,” says Ms McAuliffe. “Businesses can avoid the issue and the scrutiny by quickly and efficiently remediating the issue and notifying the appropriate persons as soon as possible.”

A crucial element of success is the response team itself. “A strong, well-designed response team is a crucial component of any response plan,” says Ms McAuliffe. “The individuals who comprise the response team need to have the appropriate expertise, communication and decision-making skills, and authority to get things done in a timely and effective manner.

“Who compromises the team is also very important,” she continues. “The response team members should include senior persons from each of the sub-areas that will be responsible for the different aspects of the response, including information technology, security, privacy, human resources, risk management, legal, communication, investor relations, customer relations, vendor relations and management.”

As Ms Thomas points out, the evolving nature of cyber attacks and other threats make it important to create response processes that are dynamic. “The risks that give rise to possible data breach incidents in many ways are unlike other risks a company faces,” she says. “They are not always preventable, nor are they the type of strategic risks a company may be willing to assume. Instead, many of the risks are external and beyond a company’s control. Trying to approach mitigation using tools designed for preventable or strategic risks will thus not necessarily work. Instead, companies would be well served when designing their risk management process and preparing to address future incidents to consider what type of risk they are facing and how best to mitigate it.”

© Financier Worldwide


BY

Richard Summerfield


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.