CYBERSECURITY SERIES: RECEIVING A BREACH NOTIFICATION FROM A SUPPLIER - COMMUNICATING WITH CUSTOMERS
Even if you determine that you don’t have to tell your customers about a data breach, you may still wish to do so for practical/relational/reputational reasons.
Under the various laws mentioned above, regulators can in some circumstances compel businesses to notify the relevant individuals of the breach, and/or can make such notifications themselves – which may be to the public at large. Regulators may also have to inform other regulators and relevant bodies in the UK and EU about the breach. It’s worth bearing in mind that once a business makes a notification to a relevant regulator, the business may lose control over disclosure of the breach – whether to customers or the wider public.
However, where the breach was caused by a criminal act or malicious actor, the relevant regulators or law enforcement authorities may direct you not to disclose the breach if this would hamper any investigation into the incident.
FAILSAFES, RESILIENCE AND REDUNDANCY
One of the most difficult parts of this type of breach is that, having outsourced the responsibility for a dataset, the business struggles to regain control of their assets. The question of who controls the way a business can react should always form part of the decision to digitise, automate or outsource processes. There are other decisions that businesses can make to reduce the impact third party cyber breaches have on both continuity and their bottom line:
Do we have our own copies of the data our suppliers held, so that we can move to a new solution with limited delays?
The strain that a supplier will be under once they have sustained a breach means that responses to this type of request are likely to be delayed. Access to a slightly older, but immediately available, dataset may have a high impact on business continuity during the supplier’s investigation.
Can we limit the dependency we have on a specific technology or supplier?
Technology makes it easier to link together different services and the rise of the data economy incentivises technology providers to cross-sell their services, interlinking processes through one platform and allowing them to collect a more complete profile of their customers.
These types of technology make it easier for businesses, automating integration processes and reducing the amount of expert technical support required to implement certain types of solution. However, the complexity of business IT use and the number and variety of suppliers in the chain who can influence the security of these decisions makes it increasingly important to know what we’re dependent on.
This may be as simple as identifying a single point of failure – the one database that all of the business’ systems need to query before they will work. It could be a number of services all being underpinned by the same software or provider – Microsoft 365 and Salesforce are prime examples of this – so that a vulnerability in that system could impact multiple critical services. Whatever a system looks like it’s worth attempting to understand what the impact of removing any of the building blocks would be and developing a contingency plan where appropriate.
Is it worth having multiple ways of achieving the same process?
We all know somebody who has had the misfortune of being half way through their weekly shop when a supermarket suffers a major IT glitch. Everything stops. It doesn’t matter if you only want one item, know the price and have the exact change... if the tills won’t work then the store closes. It doesn’t matter how well store management communicate if they don’t have an alternative solution. The corner shop that manages to stay open during a power cut, using a notepad, mental arithmetic and a second member of staff checking prices on the shelves, writes themselves a good PR story.
Manual processes are onerous, they cost far more money to run and are usually not sustainable. It may be that during a breach all employees need to be available to answer the phone and field customer questions. However, there may be some services offered to customers that it is worth reinstating manual processes to maintain.
Contractually, there are the following opportunities to reduce the impact of this type of breach....
Make sure that contracts with your suppliers include obligations on the supplier to inform you of any known or suspected data breaches that affect the data they hold and process for you as soon as they become aware of it – and no later than (say) 24 hours. Suppliers acting as ‘processors’ already have a direct obligation under Art 33 to notify you of a breach ‘without undue delay’, but it’s worth expanding on this in the contract. To ensure the notification reaches the right place within your business, include a dedicated breach notification email address, and consider including template breach notification forms within the contract to ensure that the required information about the breach is obtained from the supplier – including details of a supplier contact who you can talk to about the breach. Under the GDPR, if your supplier is a processor, your contract with the supplier will have to include the processing terms set out in Art 28. These already include obligations to assist the controller with its own breach reporting obligations, but it’s worth fleshing these out in the contract and tailoring them to be suitable to your business’ needs. Make sure the supplier’s obligations to notify you of any breach, and to assist you to comply with your own breach reporting obligations, are not depending on you paying the supplier’s costs of assistance.
Plan for it… Know what breach notification obligations your business is subject to and what the notification deadlines are. Put in place a data breach response plan setting out how your business will respond to a breach notification, setting out the responsibilities of relevant individuals and teams within your business, lines of communication and decision-making and steps that can be taken in the immediate aftermath to prevent/reduce the damage caused by a breach. It’s a good idea to test the plan by having ‘drills’, to discover any shortcomings in the plan when put into practice, so that your business is as well-prepared as possible for when/if it a data breach occurs.
Often, when a breach occurs to a supplier, it was not only unavoidable by the business, but happens in an IT system over which the business has no control.
The dependencies in this type of scenario make an already-impossible situation even harder. As with any other cyber risk, some of the biggest wins can be made by thinking ahead, knowing what the issues are likely to be and implementing measures that ensure the business can fail gracefully.
In other circumstances businesses may have to be confident enough to act with insufficient information and a high risk that they will lose customers.
Knowing what to do, acting fast and communicating well remain the best way to survive a breach.
ABOUT OUR CYBERSECURITY SERIES
Clayden Law has teamed up with technical expert, Emma Osborn. and over the next few months we will provide some back-to-basics analysis of the technical, legal and data protection issues surrounding cybersecurity, aimed at organisations’ non-technical decision-makers. Together, we’ll be highlighting key cybersecurity and data privacy fundamentals and looking at the interplay between law and practice in this area. For more information, click here.
Please be aware that these notes have been compiled for general guidance only and should not be considered as specific legal or technical advice.
Piers Clayden, firstname.lastname@example.org
Solicitor & Director, ClaydenLaw
© ClaydenLaw 2018