[BreachExchange] How not to handle a cyber security attack

[Audrey McNeil]

https://www.lexology.com/library/detail.aspx?g=a1bff38b-c971-45ba-91dc-
d2e9debdf528

Earlier this month Equifax suffered a major cyber security attack which
resulted in the personal data of an estimated 143 million people being
compromised. The manner in which the company reacted in the aftermath of
the hack is evidence of an organisation that was ill-prepared and is likely
to trigger an investigation on several fronts by several different
regulators.

Not only did the company appear not to have a plan for how to react to an
event of this nature, it seems that it may not have been in compliance with
key data protection principles embodied in current European Union (EU) data
privacy regulation and expanded upon in the new General Data Protection
Regulation coming into force in the EU next year.

Gaps in compliance exposed

While most of the customers affected were thought to be Americans, it is
estimated that the data of more than 44 million British consumers was also
feared stolen. Equifax and its UK subsidiaries boast the likes of BT,
Capital One and British Gas as customers in Britain which means that the
personal data of their customers and customers of hundreds of other British
companies using the services of Equifax to carry out credit checking, could
have fallen into the wrong hands. Many of those British consumers would not
have been aware that their data had been transferred to, and was being
processed in, the US. The legitimate grounds on which Equifax transferred
that data and processed it in a location outside of the EU is something
that will be scrutinised by regulators and acted upon if the company is
found to have failed to legitimise the transfer and processing of personal
data of EU citizens in a country not seen as providing adequate safeguards
for the protection of that personal data. Equifax is also likely to find
itself facing claims from its customers as individual data subjects
challenge the legitimacy of the transfer of their data to the US and seek
redress from the EU-based service providers like BT, British Gas and
Capital One with which those data subjects have contracts.

Bungling the clean-up

In the aftermath of the attack Equifax set up a website where customers
could go and check if they had been affected. However, customers could only
access the information if they waived any rights to sue Equifax. Later the
company changed the website to remove the waiver but those customers who
wanted to freeze credit checks were first asked to pay. That certainly does
not seem to be in the spirit of taking mitigating steps to minimise further
damage and loss occurring from the initial breach. To top it all, Equifax
directors sold shares after the breach had been discovered but before it
had been made public. The company insists there was no insider trading as
those directors who sold their shares in the three days between the hack
taking place and it being made public did not themselves know about the
breach. That, in itself, is a cause for concern as a breach of that nature
should have been communicated to decision makers within Equifax without
delay as part of a well- executed mitigation and disaster recovery plan
which would have also included instructions regarding share dealing by
directors and employees at such a time.

On the regulatory radar

Lawyers and regulators are queuing up to investigate not only the
circumstances of the breach to determine if there was anything that Equifax
could have, and should have, done to prevent it but also to address the
actions taken in the hours after the breach was discovered.

It seems that Equifax’s lack of a plan, or failure to smoothly execute a
plan, to address the issue and to mitigate further damage and to restore
confidence in its customers and in turn in their customers, will damage its
reputation and its business for a long time to come. Add to that its
apparent lack of transparency in transferring and processing the personal
data of millions of EU customers, to and in the US, potentially without
having a legitimate mechanism for doing so, and Equifax could well find
itself under further scrutiny.

The cost of lack of planning

Failure to put in place lawful and robust data processing procedures and
failure to formulate a plan and ensure that it was communicated and
executed upon could prove to be very costly. It could also prove costly for
Equifax’s customers that used its services to check on the credit ratings
of their EU-based consumers without ensuring that Equifax was either only
processing the personal data within the EU or transferring it by legitimate
means to the US for processing there.

How to do better

So what should Equifax have done to save itself the bad press and the
costly investigations which must surely now follow?

It is not the only organisation to suffer a high-profile cyber security
attack. They are on the increase as hackers get more and more sophisticated
and security solutions struggle to keep up with the infiltration methods of
the perpetrators. As a result, it is now more than a question of
concentrating efforts on preventative measures.

Organisations need to take a multi-layered approach.

- Firstly, preventative measures are still paramount: building systems with
robust security is key.
- Secondly, having built the secure system, organisations also need to do
regular maintenance to ensure that the security is kept updated, gaps
plugged and improvements made such as segregating different chunks of data
into separately secured bundles. Organisations need to be smarter about the
way they store the data.
- Thirdly, building internal policies and procedures and ensuring that
those accessing and handling personal data and other sensitive company data
and secrets are educated on the importance of security and follow the
policies and procedures designed to protect the integrity of such data.
- Lastly, but certainly not least important, establishing a plan on what to
do if a breach occurs to mitigate the effects and ensure disaster recovery
steps are taken as quickly as possible and to ensure effective
communication. This should include making an informed assessment of whether
notification of the breach to data controllers and/or regulators and data
subjects is required, communicating with regulators and data subjects as
required or by choice to restore confidence, as well as using technological
solutions to recover lost data and re-secure storage and processing systems
as quickly as possible.

Focus on what to do in the aftermath

Focusing on mitigation and disaster recovery is relatively new to
technology companies that tend to put all of their energy and resources
into prevention. Slowly companies are learning that to avoid the
embarrassment of an Equifax-style bungle they need to plan in advance how
to react to a data breach. This includes having a plan to execute which
applies to all data controllers and processors in a chain of processing
activities and must include effective communication and cooperation with
data privacy regulators.

In the Equifax case, its customers would also have needed to communicate
with their customers regarding the breach. The likes of BT, British Gas,
Capital One and other EEA-based organisations using the services of Equifax
to credit score their customers may also need to demonstrate to regulators
that they had carried out adequate due diligence on the processing
activities of Equifax and taken all necessary steps to ensure that Equifax
processed personal data relating to their customers in compliance with the
relevant data privacy laws and regulations.

Securing data as an asset and not a liability

While data is an asset of most organisations today, it is also a liability
where it is not properly secured and where the processing activities are
not properly documented and traced, as the loss and damage associated with
a leak of such data can outweigh the advantages of having that data. While
it is impossible to prevent cyber security attacks altogether, the amount
of data which is compromised and the manner in which such attacks are
handled and the leaks redressed are key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170921/f12d8e5e/attachment.html>