Cyber Breach Responsibility

So, you have woken up to the reality that it is only a matter of time before your organisation will have to handle a Cyber Breach event and asking who should be responsible?

According to a Deloitte’s Cyber Risk report only 27% of the UK’s largest businesses can put their hands up to having a clearly designated team or individual with responsibility for cybersecurity. Then there should be no surprises that the parade of Cyber breaches filling the headlines will decline any time soon.

We are talking specifically about Data Breaches, as a discrete aspect of the wider Cyber Security challenge facing businesses. A personal breach is defined in the EU GDPR (General Data Protection Regulations) as a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

Whilst Cyber Security is undisputedly a shared responsibility, making sure that an organisation is ready to confront a Cyber Breach is still much debated. The simple answer to the Breach responsibility is this is a Board Level responsibility. It is a fact that any data breach crosses all disciplines, HR, Legal, Compliance, Corporate Communications and IT. Critically a breach will incur unbudgeted financial burden and demand extraordinary rapid executive decision making which can have far reaching ramifications. Burdens that have no place on the shoulders of Divisional Heads, delays in silo’d or decision making by committee can turn a containable event into a headlining share whacking disaster.  Cyber Breach issues are an enterprise wide issue not just IT, despite the fact that some elements can only be enabled or managed through technology, it warrants regular standalone agenda billing attention in board and management meetings as much of the regulation is actually about process and culture.

Unfortunately, the common default we see is for IT to carry the responsibility in the absence of a dedicated board level CIO (Chief Information Officer), CSO (Chief Security Officer) or CISO (Chief Information Security Officer) representative. As we live in such a technology enabled world now the predisposition for any breach to be technology related is high, but not guaranteed. Even with a Board level CIO, CSO or CISO the responsibility is a unilateral Board function as this drives an independence of association from the channel of any breach and places the decision making in the hands of those who can make the sometimes-challenging decisions that breach incidents demand.

A ‘Breach of Duty’ is a recognised act in Law, occurring occurs when one person or company has a duty of care toward another person or company, but fails to live up to that standard.  The normal measures of a breach of duty are:

• Was this a duty of reasonable care an ordinary person would use in the same circumstances, or professional liability?
• Foreseeable risk exposure?
• What alternative measures could have reasonably prevented this?
• Was the burden of using safer alternatives considerably heavier than the risk involved in not using them?

So when it comes to the personal data of citizens or that of valued customer businesses or supply chain partners you can pick any one of the hundreds of breaches that have hit the headlines recently and apply the above measures of duty and find every one wanting to some degree. Worst of all most of the breaches were not voluntarily disclosed, but followed public or media discovery and ultimate shaming of the company in question to make a public statement. The question this leaves hanging is how many breaches have managed to go under the radar, whilst leaving the data subjects exposed and open to extortion or personal injury.

With the new EU GDPR coming into force on the 25th May 2018, it explicitly demands Breach remediation competency under its Article 33. Board directors, that means its LAW and if an organization has not done this by the 25th of May 2018 and it is a qualifying organisation (handling the personal information of EU Citizens) it will be operating illegally.

This will impact not just EU companies that handle EU Citizens data but ANY company that is delivering services into or in the EU. When you consider the definition of EU Citizens Data to include browsing history and ANY digital token, beacon or IP (Internet protocol) address, amongst others, you will realise that this will impact almost all companies doing any form of data capture online. No wonder that Breach Planning suddenly becomes the starting point for many organisation as they open the can of worms that is a GDPR implementation project. The one question that always resonates is ‘where do I start’ as GDPR touches everything, nothing escapes, People, Process and technology up and down the stack. It is more often than not a multi-year program to achieve compliance for any reasonable size organisations and therefore the first thing to tick off is your Breach Response Planning. Why? For the simple reason that if you are not, the likelihood of a breach that would incur a fine is high. The fines under GDPR are eye watering, EURO 20 million or 4% of global turnover, whichever is highest. During your GDPR adoption the best you can do is demonstrate your organisation is taking its data custodial responsibilities seriously to reduce any fine for non-compliance and showing a mature and competent Breach Plan is fundamental. Furthermore, any Breach Plan will help an organisation baseline their GDPR maturity contributing significantly to GDPR compliance program.

For the majority of organisations that fit into the SME (Small Medium Enterprise) class of organisation this will have its own challenges without the dedicated roles to load balance Breach Responsibilities.  The approach is quiet straight forward as I laid out last year in my article ‘Cyber Security & EU GDPR implications for SME’s’. The size of this issue is striking for Small and Medium Enterprises (SMEs) who dominate the international business landscape and constitute the backbone of global economies. The size of the SME community subsequently reflects on the high volume of data processed by them, much of which is personal data. Now, imagine the current level of risk exposure to the UK according to a quarterly survey that came out in June 2016 by Close Brothers Technology Services. 82% of UK SME owners and senior management in a variety of verticals where found not to have heard of the EU GDPR and of those who had heard 14% said they only knew a bit and did not know what was involved. I would suggest a cover to cover read of the ENISA (European Union Agency for Network and Information Security) ‘Guidelines for SMEs on the security of personal data processing’ published in January 2017, its hot off the presses and up to date, so NO excuses.

So if an organisation cannot comply, there are no excuses, they risk exposure to negligence in their management approach at best and a collapse of their business at worst. An example of such negligence is the recent Sports Direct breach fiasco, as if organisations have not had enough examples to prove that they cannot hide these incidents anymore. In this case Sports Direct had its personnel management database breached as a result of an unpatched piece of software. The breach took place in the second half of 2016 and staff are only just learning their data was breached through the media this month. Such a failure to be able to notify and warn impacted data subjects (employees are data subjects) would be a blatant show of negligence and without doubt incur a significant fine with little sympathy from the regional supervisory authority. In the UK that is our Information Commissioners Office (ICO).

As for the prospect of breaches dissipating as discipline improves, the 2016 Ponemom Institute survey ‘Cost of Data Breach Study: Global Analysis’ shows a doubling of data breaches between 2014 and 2015. The cost has only slightly increased on a per record basis to approximately £150. Whilst the latter point may be read as good news the main conclusions of this study suggest that it is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies. Data breach readiness is not an option it is mandatory linked to a Business Continuity Plan. A measure clearly related to Article 32 of the EU GDPR, which mandates the ability (for the controller/processor) ‘to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident’.

So, the question all board members should be asking of their organisations – ‘Are we Cyber Breach resilient?’ If not, then you know you have a priority as a duty of care to your data subjects and shareholders to get your house in order or I predict the outcome of your own performance risk impact in this context will indicate a high-risk probability of redundancy if not organisational bankruptcy!