A major data breach is every organisation's worst nightmare. Customers have to be assured that their personal details are safe, sensitive information related to a transaction or the company’s Intellectual Property (IP) is protected. Regulators might have to be informed and often substantial fines paid. Often business relationships may need to be rebuilt if the data leak is embarrassing or sensitive. In the worst cases, the reputational damage and financial loss can be significant. While data leaks can happen to any business, having an effective information governance strategy in place, can help limit the frequency and scope of data breaches. Moreover, if a breach does occur, a robust response plan can help to mitigate the effects of even the most serious incidents. 

Damage limitation

Data leakages arise in a variety of ways. Breaches may happen through cyber-hacking or entering the IT systems leading to the theft of big amount of data, such as customer listings, customers personal information. The theft can also be targeted to specific sensitive information in the case of an M&A transaction where stakeholders may use the stolen information to their benefit.  The loss of information can also be caused by the careless disposal of IT equipment or the loss of portable data devices such as USB sticks or mobile phones. In any case, consequences are not to be neglected.

The precise details of a response plan will depend on the nature of the data breach, but almost all scenarios have number of key response factors in common. The crucial point is to indeed have a response plan that can be referred to as a ‘crisis management plan’; a data breach or theft is indeed a crisis for the corporation or can be if the incident is not well handled. 

Firstly, the speed of response to the leak or theft is critical. The source needs to be identified and ‘neutralised’ as quickly as possible to limit the damage. The evidence that may allow the identification of the source(s) needs to be secured right away.  The nature and potential use of the leaked data needs to be ascertained, so that the company can take appropriate actions such as inform regulators where necessary and be otherwise ready to respond to the misuse of that data, i.e. informing clients or business partners.

Secondly, evidence, once gathered and secured need to be analysed in order to investigate who was responsible for the breach (external and/or internal sources) and eventually why, both to prevent a recurrence, prepare an appropriate response and to support or prepare for any criminal proceedings or civil litigation that may follow. Timing and expertise are of the essence here. It is therefore critical to have a response plan in place as well as a crisis team ready to be deployed when such event occur.

These tasks are often complex and will require a multidisciplinary approach. The services of a range of professionals, both internal employees and external consultants could be required. The relevant expertise will be brought in to supplement the core crisis management team. These experts may differ for example if it is a cyber attack that lead to the loss of data or a very limited specific theft of one key piece of information, or a M&A deal or hostile take-over. 

External experts are usually not a luxury option. They will supplement the internal resources in specific areas that are crucial and will be able to use their “crisis management” expertise to assist the company to respond timely and adequately. It may include senior investigators, forensic IT specialists, lawyers, cyber experts, security consultants and reputation management professionals to name but a few, each with their own priorities and expertise. 

To ensure that all parties involved in an information leakage investigation are pulling in the same direction, a clear division of responsibility needs to be established, ideally in form of policies even before the event, so that the response plan can spring into action when a data breach is discovered. In particular, a named individual needs to be identified in advance to take responsibility for co-ordinating the company's crisis management plan. 

The key internal and external professionals should also be identified and evaluated before the event to ensure that no time efficient sourcing of the right individuals. If the corporation has identified those experts before anything happened and these are part of the response plan, then they can be deployed right away without time lost in identifying the best providers, negotiating scopes and fees. 

It is essential that the company has its data management protocols in order. Data protection and employee issues can have a debilitating effect on a response if they are not well-managed before the event. Some jurisdictions, most notably in continental Europe, have strict laws preventing employers from using their employees' personal data, even where that data is held on company-owned devices and servers. Meanwhile, other countries, such as China have stringent criminal laws that prevent data from being moved outside of their jurisdiction with severe penalties for breach.

The careful design of a company's data architecture and regular data mapping are crucial steps in preventing severe access problems in an emergency. Likewise, clear company policies on the status of personal information on company systems and, where possible, insisting on employee waivers over their data protection rights at work can also ameliorate this potential barrier in some jurisdictions.

Despite the importance of being prepared for a data breach, a surprising number of companies are unprepared for such an eventuality. In a global of 300 companies undertaken by Controls Risks in conjunction with the Economist Intelligence Unit last year, a third (33 per cent) of companies admitted that they did not have a proper response plan and adequate prevention and investigation procedures in place to deal with major data breaches or criminal activity.

Prevention measures

A response or crisis management plan is necessary, but assessment of the risks and prevention measures are as important. Given the importance of information technology for most organisations today, the likelihood of a business to be affected by a data leak is very high. However, there are a number of steps that organisations can take to head off many potential data breaches and to limit the impact of those that do occur.

The growth of BYOD (Bring-Your-Own-Device) on corporate networks significantly increases the risk of data ending up where it should not. The usage of employee owned devices needs to be strictly managed and policed and malware being introduced to company systems. Restricting the use of removable devices such as USB keys and portable hard drives enables companies more efficiently to monitor where their data is stored and reduces the risk of unauthorised sharing of or access to that data. A further important preventative measure is to limit access to key data to a limited range of named people. Not only will this reduce the likelihood of a data leak, it will also assist with identifying the source of a breach if one occurs. 

Finally, training and awareness-raising amongst staff, and at every level, on how to safely handle data will always pay dividends. Your plans, policies and procedures are only as good as the people that implement them and even the best security systems are still vulnerable to human error. Training should be updated and delivered on a regular basis so it becomes natural for all employees to have data protection in mind as a priority. 

About the authors

Stephanie Lhomme is the head of the Business Intelligence and Compliance department for Europe and Africa as well as the Head of the French office of Control Risks. Stephanie has nearly 20 years of professional experience working mostly in financial and risk consulting across the world, with significant international experience in complex M&A transactions, fraud investigations and anti-corruption matters. Stephanie.Lhomme@controlrisks.com 

Ramin Tabatabai is a Senior Consultant for Legal Technologies at Control Risks. Ramin is a subject matter expert in e-discovery software and services with over 10 years’ experience in consulting on and managing a number of large scale e-discovery projects for various law firms. Ramin is also a dual qualified lawyer admitted to the Bar of Cologne, Germany and Roll of Solicitors of England and Wales. Ramin.Tabatabai@controlrisks.com For further information visit http://www.controlrisks.com