Cybersecurity Series: Receiving a breach notification from a supplier - Obtaining information
Having a cyber breach is most organisations’ worst nightmare. It’s considered the number 1 risk in the US, with UK businesses typically listing it in their top two. What’s becoming more apparent is the level of control our suppliers have on our ability to stay secure. In the GDPR the role of the ‘processor’ vis-à-vis data security and breaches has evolved to meet this new demand, increasing their responsibilities and the associated risk of making a mistake.
However, changes in rules don’t make it any easier for an organisation when their suppliers have the power to make them live the hardest day of their careers, by beginning a phone call with “we’re really sorry, we’ve detected that your data has been breached.”
And with 2018 seeing the introduction of new breach reporting obligations in the UK under the GDPR, Data Protection Act 2018 and Network and Information Systems Regulations, in addition to those already in place under the Privacy and Electronic Communications Regulations, the eIDAS Regulations and other laws, the organisation receiving that call might have just 72 or even 24 hours from hearing the bad news to (a) determine whether they need to notify the breach to any regulators and affected persons under those laws and (b) make any necessary notifications. Depending on the organisation’s sector/business, it might have to report the breach under several laws. It might also have contractual obligations to notify the breach, e.g. under its business customer contracts and insurance policies.
Big organisations can lose hundreds of millions as a result of a breach. Smaller businesses often don’t have the financial resilience to weather a breach – a high proportion of SMEs that experience a breach fail within 12 months.
While the press and, to a lesser extent, the Information Commissioner’s Office offer consumers advice on what they need to do when a big breach is publicised, there are very few people talking about how a business should act when its data has been breached. Whether the business is concerned due to its role as a data controller, as a service provider subject to sector-specific breach notification rules or is attempting to protect the business’ confidential information, this scenario compounds the problem of a data breach.
So what happens when a business receives notice from a supplier that its data has been breached, the clock starts ticking for the business to comply with its own breach notification obligations, but what if both the breached data and the information about the breach is controlled by a supplier?
Any organisation that becomes aware of a data breach will need to obtain as much information as it can about the breach so that it can:
determine whether it has to notify the breach to any regulators and/or affected organisations or individuals, whether under law or contract
if it does have to make any notifications, include specific information about the breach in the notification, as required by the laws/contracts
work out what (if anything) it can do to mitigate the effects of the breach
One of the most frustrating things about a breach is the availability of information – can you find out enough from a supplier to be able to make necessary decisions and comply with your own obligations under law/contract in relation to the breach?
It’s easy to assume that the supplier is failing to communicate with you because they’re incompetent – they have, after all, just had a breach – but the reality may be very different. Breaches are challenging to investigate. In a large distributed IT system there may be terabytes of data hiding the information investigators are looking for. In smaller businesses with much simpler IT systems the information needed to trace a breach may not have been collected at all.
What they should be able to tell you at the time that they are notifying you is what the worst case scenario could be.
The obvious worst case scenario is that all of the data they held for you (some of which you didn’t realise they had collected) has been untraceably leaked to a malicious actor, who can now make unlimited copies and sell that information on the dark web. Even at an early stage, the supplier may be able to refine this description: the attackers may have only stolen encrypted or partially hashed data, reducing their ability to make use of that information; your data may have been housed across multiple servers or databases, so that only part of your data has been stolen; the attack may have been something like ransomware, meaning that you and the supplier no longer have access to the data, but, importantly, the attackers don’t have the data either, meaning that there has been no breach in confidentiality.
As investigations progress the number of customers estimated to have lost their data often typically reduces, as the investigators track how the attackers have moved around the system and what they actually had access to. However, this more detailed understanding of a breach can take weeks or months to produce.
Customers will therefore have to make decisions based upon the information available to them within the breach notification windows to which the customer is subject. Waiting for a supplier to fully answer questions may not be practical nor enable the customer to comply with their own breach notification obligations. So customers might find themselves having to notify the breach before they have the full story from their supplier.
ABOUT OUR CYBERSECURITY SERIES
Clayden Law has teamed up with technical expert, Emma Osborn. and over the next few months we will provide some back-to-basics analysis of the technical, legal and data protection issues surrounding cybersecurity, aimed at organisations’ non-technical decision-makers. Together, we’ll be highlighting key cybersecurity and data privacy fundamentals and looking at the interplay between law and practice in this area. For more information, click here.
Please be aware that these notes have been compiled for general guidance only and should not be considered as specific legal or technical advice.
Piers Clayden, firstname.lastname@example.org
Solicitor & Director, ClaydenLaw
© ClaydenLaw 2018