Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to handle data breach incidents under GDPR

120 views

Published on

A presentation to senior UK public sector insurance and risk management executives on data breach response communications challenges and best practices

Published in: Business
  • Be the first to comment

  • Be the first to like this

How to handle data breach incidents under GDPR

  1. 1. CIPFA Insurance Summit London – October 16, 2018 DAMNED IF YOU DON’T, DAMNED IF YOU DO HOW TO HANDLE DATA BREACH INCIDENTS UNDER GDPR
  2. 2. Agenda • Introduction • Data breaches, GDPR & reputation • GDPR breach response case studies • Preparing for data privacy incidents and crises • Wrap-up 2
  3. 3. 3charliepownall.com About Charlie Pownall • Founder and Managing Director at CPC & Associates • Faculty at Johnson & Johnson Center for Leadership & Learning • Chairman, Communications & Marketing Committee at The American Chamber of Commerce in Hong Kong • Regional Managing Director (Asia-Pacific) at Burson-Marsteller • Group Communications Manager at WPP plc • Group Communications Director at SYZYGY AG • Speechwriter at the European Commission • Journalist at Reuters 3
  4. 4. 4
  5. 5. Cyber is top business risk 5 Source: Allianz Risk Barometer 2018
  6. 6. charliepownall.com A sobering challenge • Av 146 days to detect a breach • Many companies experience multiple attacks a day • Every sector and size of organisation is exposed • Constantly evolving modes of attack • Wide range of hackers, incl. criminal groups, nations states, hacktivists, insiders, competitors, script kiddies • Av cost per breach: USD 3.86m, and rising * • Tougher regulatory and reporting environment • Privacy and security are high profile public and political issues • Potentially serious direct and indirect damage to victims and companies 6 * Source: Ponemon Institute/IBM – 2018
  7. 7. Potentially serious, lasting impact Financial - direct • Legal, IT, customer service, PR costs - £60m Financial - indirect • YOY revenue 2.4% • YOY profits -56% • Share price -29% (USD 1.4bn) Legal/regulatory • Record £400k fine • Subsequent £100k fine for failure to prevent Wipro customer service scams • Parliamentary inquiry into cybersecurity and privacy Reputational impact • Loss of 101k+ customers due to poor IT security, contract terminations, etc • CEO resignation Reputational performance • Company reputation lagged peers by 2-3% • Customer satisfaction +23% • Trust in brand +8% 7
  8. 8. charliepownall.com Selected ICO data breach fines (UK, 2018) 8 Type Fine (GBP) Heathrow airport Data loss 120k BUPA Global Data leak 175k Equifax Data theft 500k Independent Enquiry into Child Sexual Abuse Data leak 100k Gloucestershire Police Data leak 80k British & Foreign Bible Society Data theft 100k Bayswater Medical Centre Data loss 35k University of Greenwich Data theft 120k Yahoo! UK Data theft 250k Crown Prosecution Service Data loss 325k Royal Borough of Kensington & Chelsea Data leak (FOI) 120k Humberside Police Data loss 130k Carphone Warehouse Data theft 400k
  9. 9. Cyber/data breach impacts are underestimated 9 Source: Allianz Risk Barometer 2018
  10. 10. Indirect costs outweigh direct costs 10 Source: Ponemon Institute/IBM - 2018
  11. 11. Discernible post-breach customer churn 11 Source: Ponemon Institute/IBM - 2018
  12. 12. Data breaches are great media stories • Political, social and legal hot topic – Geopolitics – Gov’t and industrial espionage – Litigation, class action lawsuits – Security, privacy, freedom of expression, confidentiality etc • Crime and corporate wrongdoing – Hackers, dark web, cybercrime, extortion, bitcoin etc – Whistleblowers, corporate malfeasance, tax avoidance, discrimination, compensation, double standards etc • Inside view of the company – Employees, leadership – etc 12
  13. 13. • Unclear facts and messaging • Need for consistency • Complex, technical, emotive issue • Rumour and speculation • Hacker professionalism • Cybersecurity community opportunism • Potential for leaks and/or smoking guns • Poor leadership cyber knowledge and skills • Legal/criminal limitations on what you can say • Length and public nature of regulatory investigations • Potential for separate incidents to bleed into each other And tough communications challenges 13
  14. 14. 14 GDPR raises the bar • Stronger personal rights • Statutory right to compensation • Stronger security • DPOs • Mandatory risk assessment • Mandatory archiving • Mandatory notification • Mandatory transparency • Higher fines  Increased awareness & expectations  Potentially greater liability than fines  Possibility of lasting reputational damage
  15. 15. RECTIFY SUPPRESS RETRACT REFRAMEACKNOWLEDGE EXPLAIN DENY NOTIFY UNDERMINE DIMINISH ARBITRATE JUSTIFYSTRENGTHEN MODIFYANALYSE COMPENSATE CONNECT EMPOWER DEFLECT LITIGATE LISTEN COMMSLEGAL MGMT 15 CONTAIN TECHNICAL REMEDIATE REPLACE STRENGTHEN RESTORE RESUME INVESTIGATE Greater onus on responding right under GDPR
  16. 16. 16 Breach communications challenges under GDPR • Evaluation & notification – Need to disclose publicly ASAP without knowing the full facts – Desire not to alarm customers, media, investors etc unnecessarily – Grey areas: timing, level of risk, loss of data availability – Perils of multi-phase public communication • Transparency & accountability – Assumed guilty under proven innocent – Pressure to handle complaints, rumours and allegations quicker, more openly, and more decisively – Pressure for senior leadership to take responsibility publicly – Pressure to publish investigative report
  17. 17. 17
  18. 18. 18
  19. 19. 19
  20. 20. 20
  21. 21. 21
  22. 22. Data breach incident lessons under GDPR • Swift, decisive action is required to address the problem • Notify regulator(s) if in doubt • Accurate, open, honest and empathetic communication is critical to rebuilding trust • Strong, visible leadership fosters confidence and credibility • Context and perception are critical in determining business and reputational impact • Smart organisations focus on long-term reputation instead of short-term damage and losses • Good crisis management may not save your reputation 22
  23. 23. Preparing for data privacy incidents 23 INCIDENT RESPONSE PLAN & PLAYBOOKS CYBER RISK ASSESSMENT INCIDENT RESPONSE TRAINING INCIDENT RESPONSE TEAM Four critical foundation stones for effective cyber protection and response
  24. 24. Financial Theft or Fraud Theft of Intellectual Property/ Strategic Plans Business Disruption Destruction of Critical Infrastructure Theft or Loss of Data Privacy Threats to Life and Safety Legal and Regulatory Organised Criminals Rogue Hackers Hacktivists Nation States Insiders Third Parties Competitors Severe High Moderate Low Cyber risk assessment (example) 24
  25. 25. Data breach incident reputation drivers – Volume and sensitivity of the data/information involved – Degree of culpability: core/systemic vs peripheral/one-off event – Degree of scrutiny: media, public, regulatory, political – Quality of response: corrective action, timeliness, transparency, empathy – Timing: company/marketplace – Degree of visibility: tier one public vs small private – Reputation: actual and historic, including strength of relationships – Nature of industry: regulated, controversial, emerging, etc – Nature of business: B2C vs B2B vs B2B2C – Nature of market: open/competitive vs protected/monopolistic 25 PRIMARYSECONDARY
  26. 26. • Lean, well-honed core team empowered to take decisions quickly – Security/IT, Legal, PR/Communications, Customer service, Finance/HR • Specialist investigation and response service providers, able to deliver immediate, high quality support – Forensics, Legal, Notification, Identity & credit monitoring – PR/Communications • Consider regional/local requirements Incident Response Team 26
  27. 27. • A clear, concise, usable document • Based on a living structure • Owned by all levels involved • Embeds everyday processes and procedures • Ensures effective escalation and notification • Prevents serious errors taking place • Takes broad view: not IT/cyber-centric • Links to IR Playbooks, Crisis Plan, Business Continuity Plan, Recovery Plan • Owned and managed by Incident Response Team • Regional/local variants, where appropriate • Accessible, usable and updated regularly • Consistent with company values Incident Response Plan 27
  28. 28. Incident Response Plan elements • Agreed priority threats – Data theft – Data leak – Data loss/exposure – IP theft – etc • Team members and R&Rs • Policies and protocols • Key stakeholders: external, internal • Contacts, incl. suppliers & partners • Appendices – Statements, checklists, forms 28 Communications plan • First response protocol • Media handling protocol • Spokesperson/people • Primary and secondary stakeholder audiences • Communications channels and materials • Pre-approved holding statements
  29. 29. Incident Response Playbooks • For common and priority threats – Phishing/malware – DDoS attack – Ransomware attack – etc • Whole incident response lifecycle – Preparation – Detection, analysis – Containment, eradication, recovery – Closure, analysis, prevention • Mandatory & best practice actions • Extend to Legal, Communications, etc 29
  30. 30. 30 MGMT LEGAL COMMS Incident Response levers - Leadership - Privacy - Risk/Audit - Finance - HR - etc - PR - Marketing - Customer service - Internal communications - Investor relations - Corporate/public affairs - Digital/social media - etc - Investigations - Advisory - Disputes - Removals - etc 30 TECHNICAL - IT - Security
  31. 31. RECTIFYSUPPRESS RETRACT REFRAME ACKNOWLEDGE EXPLAIN DENY THREATEN UNDERMINEDIMINISH NOTIFY JUSTIFY STRENGTHENMODIFYANALYSE COMPENSATE CONNECT EMPOWER DEFLECT LITIGATE LISTEN COMMSLEGALMGMT 31 CONTAIN TECHNICAL REMEDIATE REPLACE STRENGTHEN RESTORE RESUMEINVESTIGATE Incident Response toolbox
  32. 32. Testing, Reviewing and Updating your Plan(s) • Focus on priority threat(s) • Strategy, decision-making, teamwork, responsibilities, skills • Multi-disciplinary, or functional team • Types of crisis training – Tabletop – Digital/social media simulation – War gaming – War room – Full-scale • Test regularly • Record, review and adopt learnings 32
  33. 33. Takeaways • Cyber risk is a fact of life • Business not IT/cyber issue • Direct impact on value and reputation • GDPR increases reputational risk • Respond quickly, decisively, openly and honestly • Prepare thoroughly 33
  34. 34. Questions 34
  35. 35. Thank you. +44 20 3856 3599 cp@charliepownall.com linkedin.com/in/charliepownall https://www.slideshare.net/cpownall charliepownall.com 36

×