Out-Law News 2 min. read

Cyber breach response should involve organising and prioritising several workstreams through a central incident response team, says expert


Businesses that experience cybersecurity breaches should follow an organised workstream to manage those incidents successfully, a cyber risk expert has said.

Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that businesses that fail to handle cyber or data breaches properly can expose themselves to potential regulatory penalties and significant harm to their reputation.

Following a series of practical steps in the immediate aftermath of a breach can help businesses to mitigate those risks, he said.

"The first step is often to engage IT forensics experts to carry out a thorough examination of networks and systems," Birdsey said. "This exercise will provide clues as to what systems and data attackers may have gained unauthorised access to and how, and enable businesses to fix any vulnerabilities identified or address failings in controls or processes to prevent recurrence."

"Subsequent data analysis can then help businesses understand the nature of the incident, from how many people are affected, what type of information has been compromised, and whether legal or regulatory duties to notify the incident have been triggered. Businesses may need to notify data protection authorities and sector regulators, and may wish to also inform law enforcement where they suspect criminality," he said.

"Businesses need to consider the messaging they use when notifying affected individuals of data breaches, and have further logistical and operational support mechanisms in place to ensure emails notifying the breach are sent out quickly in batches and that their addresses are validated, for example. Operational support will also concern the handling of queries and complaints that might then arise after details of breaches have been communicated," Birdsey said.

Businesses may also want to consider providing credit monitoring services to help people impacted by the breach to mitigate risks such as fraud and identity theft at the point of notifying them of the breaches, he said.

"Throughout the various stages of incident management it will be important to provide consistent messages about the breach and manage the risk of negative media coverage," Birdsey said. "A reassuring breach narrative and coherent approach to PR is therefore an essential component to good cyber incident response practices and necessarily involves close cooperation and internal communication between those involved in handling the breach, including PR advisors, IT and legal teams and the board."

Birdsey was commenting after UK retailer Cash Converters announced that some customer data it held had been compromised in an "online security breach".

"Cash Converters was notified that a third party had potentially gained unauthorised access to a Cash Converters' UK customer database," the company said in a notification to affected customers. "The data that has been accessed relates to Cash Converters UK data from a recently decommissioned Webshop site. This site was decommissioned when the new website was launched in September 2017. This site was hosted by an external third party."

Customer data accessed in the attack "includes Webshop account names, passwords and delivery addresses", but not credit card details, the company said. It said its new Webshop site had not been impacted by the incident.

Cash Converters said it was taking the incident "extremely seriously" and was working with authorities in Australia and the UK to investigate.

"Please be reassured that – alongside the relevant authorities - we are investigating this as a matter of urgency and priority," Cash Converters said. "We are also actively implementing measures to ensure that this cannot happen again."

"Our customers truly are at the heart of everything we do and we are both disappointed and saddened that you have been affected. We apologise for this situation and are taking immediate action to address it," it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.