Get a move on: Acting quickly following a data breach

The UK's MOVEit data breach is yet another reminder of the importance of knowing the relevant privacy regulations and having well-oiled response systems for dealing with cyber incidents.

Another day, another major cyber incident.

The news that the so-called 'MOVEit' data breach had compromised sensitive information held by household names like airline operator British Airways and retailer Boots, with more victims likely to be revealed, put the wind up many heads of Risk and IT around the UK.

As with any hacking incident, the full facts can take time to unravel, but initial reports concerning the MOVEit breach suggest that a critical file transfer software vulnerability affecting privileges and access has been exploited, potentially affecting the customer supply chain.  

Patches, security updates and reviews of user accounts are recommended for any MOVEit Transfer customers.

Major data hacks of this nature require critical decisions to be made in a very short space of time, sometimes within 72 hours of becoming aware of an incident.

These decisions always take longer to authorise than many people think, so a well-tested process for dealing with incidents helps ensure processes are followed as quickly and smoothly as possible.

The authorisation process might involve external legal, forensic and security experts, law enforcement agencies, the head of any department impacted, HR, IT, Risk, the DPO and the organisation's board.

This can involve communications at antisocial hours and long days of intense concentration. The facts of the incident can change quickly and significantly as any investigation into the incident continues.

Outside normal working hours, small but critical things can be missed or become confused and delayed, when decisions are extremely important and time-sensitive.

As well as dealing with the security issues and any demands from the hacker, any organisation involved has to decide if a personal data breach has occurred, and if a report to regulators needs to be made.

For a report in the UK, this requires compliance with the UK GDPR and the Network and Information Systems Regulations (NIS), and the Information Commissioner's Office (ICO) requirements about the tests for the reporting thresholds. Other relevant sector regulators can also be involved.

If a database of international data subjects is involved, this could involve multiple reports in the UK and elsewhere around the world, with different requirements, deadlines and time zones.

For example, different forms can be needed in other jurisdictions with different information, sometimes in the local language, with varying requirements about lodging the report.

There can be varying timescales and with global time zones, this can make managing the obligations challenging.

In a hacking situation involving personal data, a business must report a breach in the UK to the ICO, unless there is unlikely to be a risk to the individuals involved.

It may also have to tell the individuals affected so that they can take steps to protect themselves. Crime and cyber security agencies may also need to be notified and engaged. If NIS applies, there are detailed requirements to be assessed about when to report and to which regulator.

The regulators may have follow up questions about the incident and the firm's wider privacy compliance that the firm should be ready to deal with in a consistent and logical way to avoid fines and enforcement action.

This article was authored by Sarah Tedstone, Privacy Partner at Fieldfisher.