How to limit your liability after a data breach

At the end of last year, the Breach Level Index reported that 4.5 billion records were compromised worldwide in the first half of 2018 (as a result of 945 data breaches). That represents a massive increase of 133% compared with the same period in 2017.

How to limit your liability after a data breach

Organisations and businesses are becoming aware of the growing cyber threat and with it the need to protect data. We’re witnessing cybersecurity become the responsibility of a wider group of people rather than just the CISO (Chief Information Security Officer) or an external consultant. Now it might be your Education and Awareness Manager (EAM) or whoever’s responsible for L&D, internal comms, HR, the legal team…

A report from Legal Week, in the US, recently reported that almost 50% of general counsel say their role now includes “planning for cyber-security incidents and responding to breaches”. But many organisations are still unsure how to protect themselves or how to limit their liability after a data breach.

Security education and awareness + cultural and behavioural change

Your security program can not only reduce the likelihood of your organisation experiencing a security or privacy incident, it can mitigate the effects of a breach and reduce the financial exposure and damage it causes too. What many people don’t know is that it can lower the penalty your organisation faces after your data’s been compromised too – yet another argument for being prepared!

Data breach notification and management

Whether the breach is a result of disaffected staff, careless employees or an external attack you have to report it. Under GDPR you have to notify the regulator and relevant stakeholders (including those affected) within 72 hours or face a penalty. Giving rise to the need for a notification system that you can put into action immediately.

By the time a breach has happened, it’s too late to only just be thinking about how to respond to it.

Your organisation’s breach notification process

Here are some questions to take into account whether you’ve got a plan already or you’re just putting one together:

  • Do you have a notification process in place?
  • Have you checked that you can notify everyone within that timeframe?
  • Do you have a crisis response communication planned?
  • Who will do what when?
  • How will you communicate with your various stakeholders?
  • Will you send a press release? What channels will you use to distribute it?
  • Will the CEO/CISO/you make a public statement?
  • Have you developed holding statements and key messages to put out?

Having a robust, proactive set of security controls in place will show your company takes personal data protection seriously, both under scrutiny from the regulatory body and the public.

If – or should that be – when there’s a data breach, regulatory authorities will take the length of the breach, the strength of your position, and your immediate response into account when they calculate your possible fine.

The role of education and awareness in limiting your liability

As part of our workshops, we look at how a regulator would examine your education and awareness efforts to assess whether you had done enough to raise awareness and foster an appropriate culture to mitigate the damage of a breach.

If you’re the person or one of the people who’d be called on to explain to your lawyers how you’ve tried to reduce risky behaviours which could result in a breach, you might want to play a part in the security education and awareness in your organisation too!

You can find out more about our workshops here or feel free to ask us any questions below.

Share