Listen to this article
One of the first things companies ask when they get hacked is: “Can we keep it a secret?”
No business wants the consequences of a big, embarrassing data breach going public: the reporters camped out in front of the building; the humiliating television apology by the chief executive; the angry customer posts on social media; and the share price in free fall.
When we wrote the FT Cyber Attack Survival Guide in 2016, looking at what companies can expect after an incident, this was a recurring theme: most companies want to keep things discreet. The unhappy experiences of companies such as TalkTalk, Target, Carphone Warehouse, Sony Pictures and others have served as a warning not to go public unless you are forced to.
“In many of the incidents I deal with, customers are so aware of the power of social media,” says Raf Sanchez, international breach response manager at Beazley, the insurance company. “They fear the tweetstorm and so there is a great reluctance to go public about a breach.”
Secrecy will no longer be an option after May 25, however, when the new EU general data protection regulation comes into force.
Companies will have 72 hours to notify the data regulators that an attack has taken place. Once they do, the company will have far less control over whether the information gets into the public domain or not. “All it takes is one question from a journalist and it will be public,” says Mr Sanchez, who helps companies to co-ordinate the forensic and legal work needed after an attack.
In most US states, companies are already obliged to notify customers about data breaches, especially when these are likely to cause financial harm. EU rules are written more broadly, however, and any breach likely to risk the “rights and freedoms” of individuals must be notified.
Exactly how that is interpreted remains to be seen, but 2016’s data breach at the UK’s Greenwich university, for example, when a database containing details about students’ mental health and family problems was accidentally made public, would probably fall into the “disclosure” camp.
Three days is not a lot of time for companies to weigh up the decision, points out Stephen Bailey, head of privacy and cyber consulting at NCC Group, a cyber security company.
“It can take a lot of time to discover exactly what happened. You might see an excerpt of something that looks like your data on [a hacker site] but you might not know what data it is exactly and where they got it from,” he says.
When the rules come, many companies will err on the side of notifying, just to be “cautious” predicts Helen Bourne, head of the UK cyber team at law firm Clyde & Co. This leads to a second crucial question: will data protection officials be able to handle the onslaught of notifications? Will that make the process of dealing with the data breach even longer for companies?
In the UK, the Information Commissioner’s Office has been working hard to hire more staff in preparation for GDPR. So far it has been able to add only the equivalent of 65 full-time staff to the 430 already working for it, but it is planning to recruit at least another 166 by 2019. The ICO says it hopes to deal with many cases in “days or weeks” but there is no set limit to how long it will take.
Data breach experts are pessimistic. “The longest I have spent dealing with regulators over an incident is six months,” says Mr Sanchez. “And that was pre-GDPR.”
To prepare for GDPR, cyber security experts say companies must do some drastic data housekeeping. “Find out what data you are collecting and where it is stored,” says Mr Bailey. Get rid of any personal data that you no longer need. If there are customers on the database the company has not had any meaningful interaction with for years, he says, it is time to delete those records.
“I am always amazed when we work with companies how much unnecessary duplication of data there is — for example, a divisional human resources department might collect data on new employees and send it to head office, but also keep its own copy of the information when it doesn’t need to,” he says. These are the kinds of records that need to be purged.
It is not the fear of being fined up to 4 per cent of global turnover that should spur companies into action. In most cases the fine is just the tip of the iceberg; the cost of remediation, everything from hiring forensic investigators to paying for credit monitoring for customers, is much higher. TalkTalk incurred £42m in exceptional costs related to the 2015 cyber attack, not including loss of business. That was for a breach involving just 157,000 customers. Keeping databases small and relevant has never been more crucial.
Add to that potential lawsuits and civil claims by consumer groups empowered by the new laws. Companies will need to set aside funds to deal with the legal ramifications of incidents, says Mr Sanchez. “The worst-case scenario is that this could be the next PPI [payment protection insurance] scandal,” he says.