< Back

Share |

Investigating security breaches and managing contracts with third parties

September 2013

You receive a call from your IT team; someone has noticed odd access patterns to one of your key databases containing key confidential information, some of which belongs to third parties who you contract with.  Some more checking and analysis takes place and within a few hours, you know with reasonable certainty that someone has been and still is, accessing your and your business partners' confidential data.

NotepadAt this stage, you probably have some information but in terms of the total information available about the problem, at this point in time, you probably don't know that much.  It is important to work quickly with IT, the commercial teams who work with the data in question and senior management to understand as much as you can in the next 12/24 hours so that you can decide what to do next.  This might appear obvious – surely just cut off the access to your data?  This route 'solves' the immediate problem, and may in some cases be the correct approach.  However, it means risking severely limiting the amount of information that you can obtain about the breach.  In turn, this limits the information you have available to work out the identity of and, if appropriate, pursue the wrongdoers and to feed information about the problem back into the business to improve security.  Information security is not just about IT security – it encompasses the whole business and all employees.

In those very early hours of working out the scope of the problem, it is also key to review contracts you have with third parties which may give rights to those third parties in relation to data and information security.  For example, it is now common to have an obligation to immediately inform a third party whose data you hold of any data security breaches which impact on that data; failure to do so may be a breach of contract.  This adds another layer of complexity to the problem, as you will often also be dealing with multiple third parties wanting information as quickly as possible about where 'their' data has gone, and how you could have 'let' this happen.  Those third parties in turn may have regulatory reporting requirements which drive their agenda.  It is very important to understand the contractual obligations and risks at the start so that a co-ordinated response process for dealing with contract partners is agreed and followed.  This will be a combination of strictly complying with contractual obligations while keeping control of and managing the problem and taking the best commercial course of action for the business.

At the same time, you will need to be considering your reporting obligations to any relevant regulators.  This will almost certainly include the Information Commisserion's Office ( ICO) and, if you are regulated by them, the Financial Conduct Authority (FCA).  For the ICO, the obligation is to report serious breach of the seventh data protection principle and you will need to Reportconsider the potential detriment to individuals, the volume of data affected and the sensitivity of the data in question.  For the FCA, you will need to consider whether the breach indicates systems and controls failures that you reasonably consider the FCA would want to be aware of.  It is important to always have one eye on what the relevant regulators would expect you to have done in relation to a breach and to engage constructively with the regulator(s) on an ongoing basis.  This will mean that there are no surprises for the regulator and reduces the risk of criticism of steps taken in the aftermath of a breach.

If the decision is taken to be pro-active rather than reactive in terms of those responsible for accessing your data, then there are legal tools available to substantially strengthen your position.  For example, we have often used civil search and seizure orders to preserve evidence from the 'first wrongdoer', i.e. the individual(s) who are directly accessing your data.  This should provide information about precisely how they were extracting the data, and to whom they were supplying or selling it.  Any decision to obtain a civil search order should be taken in conjunction with the appropriate regulators but, in our experience, as a civil search order can be obtained much more quickly than a regulator would normally obtain a criminal search order, regulators have been happy for us to proceed.

In obtaining a civil search order, the applicant must also undertake to issue a claim as soon as practicable.  One outcome of this is that documents and information obtained pursuant to the search order will be obtained in the course of litigation and will be subject to the obligation not to use information/documents obtained in proceedings for any purpose other than those proceedings.  This can limit your ability to provide information or disclose documents to third parties including commercial partners.  Depending on the circumstances, this may be a benefit or a hindrance.

LaptopOne outcome we have consistently seen from preserving evidence via a search order is that the business obtains significantly more information about the security breach than would otherwise have been the case.  This means that the lessons learnt and improvements that can be made to your systems and controls on data security, are substantially greater than they otherwise might have been.  This, in turn, helps to reassure regulators that you have taken appropriate steps following the security breach to prevent future problems.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Paul Glass

Paul Glass      

Paul looks at the steps that should be taken in the immediate aftermath of discovering a data security breach.

"It is important to work quickly with IT, the commercial teams who work with the data in question and senior management in order to decide what to do."