responding to data breaches difc outreach session dino wilkinson partner norton rose fulbright...

Responding to data breachesDIFC Outreach SessionDino WilkinsonPartnerNorton Rose Fulbright (Middle East) LLP04/06/13

DIFC Outreach Session June 20132

Agenda

The importance of data security Consequences of breach Role of the DIFC Commissioner of Data Protection Role of the DFSA Managing a data breach crisis: timeline and key practical steps


'Misfeed' mixes up thousands of Santander customer statementsDec 24, 2010 – Thousands of UK customers of Spanish banking giant Santander received statements on which other customers' information had been printed ...

IMF hit by 'very major' cyber security attack Jun 12, 2011 – The International Monetary Fund says it was targeted by a sophisticated cyber attack earlier this year, causing "a very major breach" of its systems …

Eight charged in US over $45 million cyber crime on UAE and Oman banksMay 10, 2013 – An international crime gang has stolen US$45 million from RAKBank and BankMuscat, in one of the biggest cyber frauds to hit the Middle East.

Bank fined £3m for data loss Jul 22, 2009 – The Financial Services Authority has fined HSBC £3m for failing to properly look after its customers' information and private data.

The importance of data security


Enforcement powers of the DIFC Commissioner of Data Protection

• Appointed pursuant to Article 22 of the DIFC Data Protection Law.• Commissioner plays a key role in enforcement of the Law.• Authorisation of sensitive data processing and transfers of

personal data outside the DIFC.• The first point of contact for:

– data subjects with complaints about processing;– information and guidance;– notification – in the event that a data controller finds itself in breach of the Law.

• Commissioner can take appropriate action against those in breach of the Law.


Enforcement powers of the DIFC Commissioner of Data Protection

• Article 26(1): Commissioner has “such powers, duties and functions as conferred on him under this Law and any Regulation made under this Law”, including: – accessing personal data processed by data controllers/processors– issuing warnings or admonishments and making recommendations to data

controllers– imposing fines in the event of non-compliance with its directions– imposing fines for non-compliance with the Law and any Regulations– initiating a claim for compensation on behalf of a data subject before the Court

where there has been a material contravention of the Law to the detriment of the data subject

• Article 26(4): Commissioner has “power to do whatever he deems necessary, for or in connection with, or reasonably incidental to, the performance of his functions”


Failure to comply with DFSA requirements

• DFSA enforcement action • Financial penalties?

– UK example: July 2009, HSBC fined more than £3 million for the “careless” handling of confidential details of tens of thousands of its customers, when unencrypted CDs holding customers’ details were lost in the post.

– UK example: August 2010, the FSA fined Zurich insurance c.£2.3 million for failing to have adequate systems and controls in place resulting in the loss of over 46,000 customers' personal details.


Consequences continued: apart from the regulators

• Significant costs in senior management time. • Mitigation costs can be very significant (e.g. investigations and

root cause analysis; helpline for affected data subjects; legal, PR and IT professionals’ fees; restoration of data).

• Reputation and trust damaged.• Loss of business.


Data breach crisis – four key stages

• Stage 1 Contain breach, initial assessment

• Stage 2 Evaluate seriousness/risk level/potential prejudicethe breach represents

• Stage 3 Consider notifications, and implement if appropriate,mitigate risk to data subjects

• Stage 4 Remedial steps taken to prevent future breaches


Data breach timeline*

Breach discovered

Commissioner/ regulators deliver

final opinion/sanctions

Remedial work continues

Rights enforced, etc Day 0 Breach Day +

[75?]

* Timings are approximate only


Timeline: Breach Day, +1

Day of BreachBreach Day

(BD) +1

Day of Breach BD +1

• Insurance

am:

• In-house compliance, legal and IT functions all notified

• Customer services notified by customer of breach

• IT takes immediate action to secure the data – note decision on forensics required

pm:

• Initial estimate suggests that data relating to over [X] data subjects have been released.

• In-house legal/compliance contacts external counsel

• Preliminary assessment begins

• External legal advisers appointed

• External IT security specialists instructed

• External PR and Communications advisors instructed


Key preliminary issues to consider• Insurance

– Are you covered? Look at liability insurance policies: civil liability insurance, directors and officers liability insurance, pension trustee liability insurance, or specific data breach/cyber risks insurance.

– What is covered? Mitigation costs could be substantial for a significant data breach; also defence costs, investigation costs, PR costs.

– Practical steps: notify insurer, do not incur claim-related costs without consent, do not prejudice insurer’s rights/admit liability/settle claim.

• Forensics– Initial breach containment and investigation steps can delete/degrade the

forensic record.– If securing evidence around breach is important (e.g. suspicion of data theft,

need to identify individuals responsible/involved, need evidence of failures by third party suppliers/processors) then immediate decision needs to be taken as to whether forensic imaging should be conducted.


Mitigation step plan• Response Team to agree and implement the Mitigation Step Plan:

– Ensure breach is contained.– Initial assessment of risk and damage.– Assessment of regulator notification obligations.– Initial notifications to be made.– Further investigation to understand fully the extent, causes and implications of

the breach.– Assessment of whether to notify data subjects; and if so, how?– Implement subject notification, putting in place systems to manage data subject

response, and relevant assistance to subjects, such as credit check services.


Notifications: DIFC Commissioner of Data Protection• Article 16(4), DIFC Data Protection Law:

“In the event of an unauthorised intrusion, either physical, electronic or otherwise, to any Personal Data database, the Data Controller or the Data Processor carrying out the Data Controller’s function at the time of the intrusion, shall inform the Commissioner of Data Protection of the incident as soon as reasonably practicable.”

• Other breaches resulting in loss, breach or compromise of personal data – no legal obligation in DIFC law to report but Commissioner recommends notification depending on detriment to data subjects.

• Key factors to consider for notifying party:– Harm to data subjects (including emotional distress, physical/financial damage)– Volume of data– Sensitivity of data– What view will the Commissioner take if not notified at the outset?


Notifications: DIFC Commissioner of Data Protection• What if a breach is reported to the Commissioner?

– Commissioner considers:(i) nature of breach;(ii) seriousness of the breach; and(iii) adequacy of any remedial action,before determining the appropriate course of action.

• Possible courses of action:– record the breach and take no further action; or– investigate the circumstances of the breach and any remedial action, which

could lead to:(i) no further action;(ii) requirement for data controller to undertake a course of action to prevent

future breaches; or(iii) formal enforcement action turning such requirement into a legal obligation.


Notifications: DFSA

• Need to consider other relevant notifications, for example:– DFSA – DFSA Rulebook – GEN 11.10: Notifications

An Authorised Person must advise the DFSA immediately if it becomes aware, or has reasonable grounds to believe, that any of the following matters may have occurred or may be about to occur:

– any matter which could have a significant adverse effect on the Authorised Person’s reputation

– A breach by the Authorised Person or any of its Employees of any requirement imposed by any applicable law by the Authorised Person or any of its Employees

– any significant failure in the Authorised Person’s systems or controls, including a failure reported to the Authorised Person by the firm’s auditor


Notifications: other bodies• Police

If criminal offence suspected

• International bodies/regulatorsIf firm is regulated elsewhere or breach relates to overseas data subjects

• Banks, credit card companies, credit reference agenciesIf would help to prevent fraud


Notifications: to data subjects• In the UAE, no mandatory notification obligations

– Consider potential prejudice to the data subject. – Would notifying data subjects mitigate against risks to the data subject caused

by the breach?– UK FSA provides useful guidance about when individuals should be notified of

security breaches involving financial information – ‘April 2008 Data Security in Financial Services’:

“When customer data is lost, consumers that are affected have a right to know the enhanced personal risk they face so they can take adequate precautions. Even if there is no evidence of theft or fraud, it is good practice for firms to inform affected customers of a data loss in writing, unless the data is encrypted or there is law enforcement or regulatory advice to the contrary. Firms should consider telling affected consumers exactly what data has been lost, give them an assessment of the risk and give advice and assistance to consumers at a heightened risk of identity fraud.”

• Notification: non alarming; under control; practical steps to mitigate risk (notify banks/other relevant entities); number to contact if enquiries (get ready for the enquiries) will you offer compensation?


Timeline: Week 1

BD + 2 + 4+ 3 + 5 + 6 + 7 + 8

BD + 2 to 4

• PR plan formulated and draft statement prepared.

• IT security specialists verify that all data is now secure and check all systems for ongoing security.

• Preliminary risk assessment completed.

• Assessment made as to whether data subjects should be notified, and how to notify.

BD + 7

• Regulator acknowledges firm’s self-reported breach.

• A potential new third party service provider is identified and IT specialists perform due diligence.

BD + 8

• Results of initial investigation are made available and confirm the total amount of data released and other basic facts.

• Commissioner and other applicable regulators updated.

• Insurers updated.

BD + 5 to 6

• Source of the leak is notified, reservation of rights.

• Team assesses how data subjects will be handled (helplines; points of contact; assistance required - credit check services for example).

• Team prepare first draft notification letter to be sent to affected data subjects. Insurer given notice and opportunity to comment.


Timeline: Week 2

+ 11+ 10 + 12 + 13 + 14 + 15

Data subject notifications dispatched.

• Credit check provider appointed, contract agreed.

• Helpline provider appointed, contracts agreed.

• Internal resources including IT services to handle subject contact set up.

• Helpline operatives briefed by PR team.

• Internal helpline staff briefed.

• Subject notification letters finalised.

• Internal processes of logging calls/complaints and actioning requests formulated and agreed.

Updated report sent to Commissioner.

Company stress tests helpline/other services in advance of notification.

Intense period begins handling data

subjects queries/complaints.

BD + 9


Timeline: Weeks 3 and 4

+ 16 +17 +18 +19 +20 +21 +22 +23 +24 +25 +26 +27 +28 +29

Full root and branch investigation commenced, to include reporting on details of breach, IT/forensic record,

how breach occurred, security measures in place, shortcomings and weaknesses. Recommendations for

remedial measures.

Commissioner sends initial comments on breach seeking further information.


Timeline: Week 4+

Breach Day +40

• Full response provided to Commissioner, full explanation of breach and mitigation steps taken, details of any subjects suffering harm, details of complaints received, etc.

• Implementation of corrective measures.

Commisioner issues decision, including fines, sanctions, undertakings, corrective steps required, etc

• Company implements decision

• Improve data security processes and otherwise continuing implementation of corrective measures

• Seek redress against third parties in breach of contract etc


Investigating and reporting• Communication channels need to be controlled.

• Investigation and reporting will be done by various professionals.

• Consider at all times the issue of legal advice privilege, and the extent that it can reasonably attach to work product.

• Clear separation between IT technical investigation/reporting and any form of legal risk analysis, or even comment on breach of law/regulation.


Not ‘if’ but ‘when’ and ‘how bad’: breach readiness• Part 1: prevention is better

than cure…– IT security audit – are you up to date

with all appropriate security measures?

– Physical security audit.– Audit data processors/service

providers to ensure:– security measures are appropriate;– contractual terms (including data

protection clauses) appropriate.– Employees properly trained (and

screened).– Policies and procedures up to date

and appropriate.


Not ‘if’ but ‘when’ and ‘how bad’: breach readiness• Part 2: rapid response/crisis

readiness– Data breach crisis management

team (internal and external) pre-appointed and trained.

– Develop a breach response plan, including emergency numbers for team etc.

– Have a pre-agreed position on when forensic investigation will be used.

– Insurance: consider whether you have coverage; whether you need coverage; what the specific coverage is; how it impacts response.

– Understand what your organisation can cope with itself, what needs to be outsourced, and who you will outsource to.


DisclaimerNorton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members (“the Norton Rose Fulbright members”) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.

References to “Norton Rose Fulbright”, “the law firm”, and “legal practice” are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together “Norton Rose Fulbright entity/entities”). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a “partner”) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.

The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright.

responding to data breaches difc outreach session dino wilkinson partner norton rose fulbright...

Documents

data subjects

data loss

private data

difc data protection

data breach crisis

data subject article

transfers of personal

data controllersimposing