• HOME
  • Insights
  • Amateurs hack computers. Professionals hack humans
30 08 2017 Insights Cyber and Data Protection

Amateurs hack computers. Professionals hack humans

Cyber Security

5 December, 2016

With the focus of hackers shifting from targeting weaknesses in technology to now targeting humans, the biggest problem with data security breaches for many companies is the lack of a response plan on how to deal with the breach. This Insight Article summarises briefly the current law, a steps plan for responding to a data breach, the legal implications and notification requirements and how the forthcoming General Data Protection Regulation (“GDPR”) will affect this area.

The Current Legislation and Response Plan

The Data Protection Acts 1988 and 2003 (the “DPA”) impose obligations on data controllers under section 2(1)(d) to take “appropriate security measures” to protect the security of their data. A data controller can be fined up to €100,000 by the Data Protection Commissioner for failure to comply with the DPA, however, the disruption that can be caused for a business, coupled with the publicity and brand damage, is often far more of an incentive for companies to prepare for inevitable data breaches.

There are numerous ways to implement appropriate security measures to try and prevent a breach. This may include completing an audit of the company’s data structure and processes, conducting privacy impact assessments, implementing privacy by design to ensure data at every level of your business is protected, employee training and the preparation of a Security Breach Management Plan. In the event of a breach, a company should take the following practical steps:

1. Consult your company’s Security Breach Management Plan.
This should be your company’s ‘go-to’ document in the event of the breach. It should contain a clear plan setting out the initial and immediate processes that should be put in place to secure systems and prevent further damage being caused by the breach.

2. Mobilise the pre-assigned Response Team.
In the same way that a company likely has employee fire marshals in place in the event of fire, a data breach event too should have a pre-designated Response Team. A data breach Response Team that knows their roles and exactly what to do can save vital time at the key initial moments of a data breach.

3. Identify what breach has occurred and take appropriate steps.
Any response should be a full company response so that every part of your enterprise is working in sync. This includes management and employees liaising with the Response Team and the IT team to ensure that key information is passed between all parties so that the breach can be dealt with as quickly and efficiently as possible. Forensics should be initiated where appropriate and the company’s cyber insurance cover should be reviewed.

4. Consider your notification requirements.
The DPA do not specifically set out any legislative requirement to notify the Data Protection Commissioner in the event of a breach. That being said, the Data Protection Commissioner published a guideline, Personal Data Security Breach Code of Practice, on 10 July 2010 which sets out a data controller’s notification obligations. One such obligation is that all incidents in which personal data has been put at risk should be reported to the Data Protection Commissioner as soon as the data controller becomes aware of the incident. There are exceptions however and notification will not be required where:

(a) the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s); and
(b) it affects no more than 100 data subjects; and
(c) it does not include sensitive personal data or personal data of a financial nature.

If there is any doubt however, the Code states that the data controller should report the incident to the Office of the Data Protection Commissioner.

5. Consider the Public Relations implications and your response (if any).
There are currently no requirements under the DPA for data controllers to notify affected data subjects of a breach (only a requirement to notify the Data Protection Commissioner). Every company will have to consider how they deal with informing those affected and/or the general public and the implications this may have.

6. Record all actions taken.
Keeping a record of every part of response to a data breach can result in the gathering of vital information for the business for dealing with future breaches.

7. Review the outcome of the breach and the effectiveness of your response.
After every breach, an assessment should be completed on the effectiveness of the response, where the Response’s Team actions were effective and where improvements can be made.

8. Plan on how such a beach can be avoided in the future.
A detailed review of the breach, the response, and the final assessment and using the information to plan for and guard against future attacks is often the best form of defence to future data breaches.

Forthcoming Legislative Changes

From 25 May 2018, the GDPR will impose greater obligations on data controllers. Not only will data controllers be required to implement “appropriate technical and organisational measures” throughout every part of their system processes, they will also have to be able to demonstrate compliance in this regard.

Stricter obligations around data security will also be accompanied by more onerous notification requirements for data controllers. Article 33 of the GDPR introduces an obligation to report all breaches to the Data Protection Commissioner “without undue delay” but not later than 72 hours after having become aware of it. Notification will not be required however where the breach is unlikely to result in a risk to the data subjects. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must communicate the breach to the individual data subject in clear and plain language without undue delay.

Conclusion

A data security breach is an inevitability for almost all companies today. It can have disastrous consequences for a business, from the loss of information and the corruption of system processes to the publicity implications, and that is before any legal and financial ramifications are considered. The GDPR is only 18 months away and with it is coming greater security and notification obligations.

Is your company ready?

If you have any queries in relation to the content of this update, please contact -

Bryan McCarthy, Partner, bryan.mccarthy@rdj.ie, +353 1 6054203;
Finín O'Brien, Solicitor, finin.obrien@rdj.ie, +353 1 6054217

SHARE
Stay loop bg
Sign up

Stay in the loop

Sign up to our newsletter

Related Insights

Practice
Cyber and Data Protection 05 04 2024

Data breach claim struck out in Cork Circuit court as ‘minor’ incident

In our latest Insight, Jennifer Noctor, Partner in RDJ's Cyber and Data Protection team, discusses a data breach claim which was struck out in the Circuit Court affirming the principal that a certain minimum level of severity must be obtained in…

Read more About This Data breach claim struck out in Cork Circuit court as ‘minor’ incident
I Stock 1485820940
Cyber and Data Protection 24 01 2024

Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts

As we edge closer to the AI Act being adopted into an agreed and final text, the European Commission have published a draft of what are known as 'standard contractual clauses' for the procurement of artificial intelligence systems. In this insight,…

Read more About This Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts
AI woman
Cyber and Data Protection 17 01 2024

2024: The Year Of AI

On 29 December 2023, on the floor of the New York Stock Exchange, 2024 was declared to be the “year of AI” by top tech analyst Dan Ives. In this insight, Ricky Kelly and Sadhbh Walsh look at efforts made to regulate the use of AI around the world in…

Read more About This 2024: The Year Of AI
EU Flag and Binary code
Cyber and Data Protection 29 05 2023

Recent Developments To The EU'S Cyber Resilience Framework

Cybersecurity continues to be a significant risk for organisations across all sectors. This year, we have already seen a significant bolstering of the European Commission’s legal framework with initiatives that seek to advance a comprehensive…

Read more About This Recent Developments To The EU'S Cyber Resilience Framework
Website Insight Template 3
Cyber and Data Protection 17 05 2023

Non-Material Damage Compensation – the CJEU Enters the Fray

The CJEU delivers its first, and eagerly awaited, decision on the concept of ‘non-material damage’ arising from an infringement of the GDPR and in doing so departs from the Advocate General’s Opinion. In this insight Lorcan Moylan Burke and Ricky…

Read more About This Non-Material Damage Compensation – the CJEU Enters the Fray
Cyber Security
Cyber and Data Protection 11 05 2023

Cyber Incident Response and Crisis Management Workshop

On Wednesday, 10 May, we hosted a Cyber Incident Response and Crisis Management workshop with RDJ partners Ricky Kelly and Jennifer Noctor and guest speakers Mark Fawcett and Joseph Dashwood from Control Risks.

Read more About This Cyber Incident Response and Crisis Management Workshop