Handling a cyber security attack - the right way

In September 2017 Equifax suffered a major cyber security attack, resulting in the personal data of an estimated 143 million people being compromised.

Although it is widely accepted that organisations must prepare for ‘when’ cyber attacks happen, not ‘if’, the way in which Equifax responded demonstrates an apparent lack of response plan, as well as poor compliance in terms of key data protection principles.

The headlines: Response

  • After the attack Equifax set up a website where people could go to see whether they had been included in the attack. However, they could only use this if they waived any right to sue Equifax.

  • They did eventually remove this waiver but those customers requesting that Equifax freeze credit checks were asked, first, to pay.

  • Equifax directors were also found to have sold shares after the breach was discovered but before it was made public. Whilst the company denies insider trading this is cause for concern. Either there was insider trading and the directors knew about the breach or the company did not have an appropriate mitigation and disaster recovery plan (which should have stated that decision-makers need to know about breaches without delay and which should have included instructions relating to share dealing).

The headlines: Data

  • While most of the customers affected were thought to be Americans, it is estimated that the data of more than 44 million British consumers was also feared stolen.

  • With organisations such as BT, Capital One and British Gas using Equifax in Britain, the personal data of their customers and customers of hundreds of other British companies, using the services of Equifax to carry out credit checking, could have been involved.

  • Whilst many of those in the UK would not have know that their data was being transferred to the US for processing this is an area that will, likely, be scrutinised by investigating parties.  The transfer of data, in this way, may have been legitimate but by transferring it to a location outside of the EU, and processing it there, there may be penalties to pay if Equifax is found to have failed to legitimise the transfer and processing of personal data of EU citizens in a country not seen as providing adequate safeguards for the protection of that personal data.

  • Equifax is also likely to face personal claims from customers, as individual data subjects, in relation to this transfer. This is particularly relevant for customers of EU-based service providers like BT, British Gas and Capital One, with whom those customers (ie. data subjects) have contracts.

It seems likely that the coming months will see a flurry of legal and regulatory investigations into this attack, and the circumstances surrounding it. There are questions to be answered concerning Equifax’s lack of plan, failure to execute recovery measures smoothly, failure to mitigate further damage and is lack of transparency in transferring and processing the personal data of millions of EU customers to and in the US. This could be costly, not just to Equifax but to its customers, over a long period of time.

Six steps to getting it right

Whilst the exact nature of the way in which an organisation prepares for and responds to a cyber attack will vary, there are six key stages to consider:

  1. Prevention is better than cure - putting systems in place to protect data (and prevent attack where possible) will always be best.

  2. Keep it clean - once you’ve put the systems in place they should be regularly maintained to keep them up to date.

  3. Failing to plan is planning to fail - you can’t rely on 1 and 2. Every organisation should have policies and procedures in place to set out best practice - both for handling and accessing data.

  4. Keep on planning - you can’t even rely on only 1, 2 and 3. You also need a plan for what you’re going to do should a breach happen. This needs to include making an informed assessment of whether notification of the breach to data controllers and/or regulators and data subjects is required, communicating with regulators and data subjects, as well as the technological solutions you will use to recover lost data and re-secure storage and processing systems.

  5. A dummy run - as with all things you shouldn’t wait until things go wrong to test the plan out. Training and run-throughs are an important part of your preparation. Similarly, reviewing the plan, after a breach, is also important if you’re to stay on top of this.

Phone a friend - finally, there is no substitute for getting up-to-date, expert advice and support in this field. This might include legal advice, such as the work we do on setting out policies, contracts and plans, or specific insurance against a breach.