When you've had a security breach that includes Personally Identifiable Information (PII), regulators around the world are becoming very clear: you have to notify the people whose data you've lost, and you have to put protection in place to make sure it doesn't happen again. From General Data Protection Regulation (GDPR) in Europe, Data Protection Act (DPA) in the UK, the Personal Data Protection Act(s) in Singapore, to the variety of Privacy Legislation administered by the Office of the Australian Information Commissioner (OAIC) in Australia, regulators repeat the same requirements, and enforce them with fines and punitive action if you fail to comply
Our incident response work has shown over and over again that attackers know this, and increasingly steal and threaten to expose PII as an effective piece of blackmail. Every new piece of privacy legislation paints another target on your company. Once you're in this situation your options are limited to paying extortionate ransoms to organised crime, or seeing the reputational damage to your firm and the potential fines from regulators when the blackmailers publish.
Your key steps after a PII Breach:
Understand what's been taken
Understand your legal obligations around reporting and notification
Identify every individual in the dataset
Clear communications with your regulators
Establish a clear future plan for recovery and protection
Monitor the dark web for evidence of the sale of your corporate data
Unless your systems and data are exceptionally well managed, you're going to have a hard time identifying what's been taken and who has been affected, and this will put you in a bad negotiating position. If the attackers left servers encrypted behind them, it complicates matter further. The most important thing now is to understand what's happened and minimise the damage to you and to the people whose data you hold.
How Pragma can help
Every situation is different, but we've found some actions have a greater impact than others.
Advice on your legal obligations
Our in house legal team can help you understand which laws apply to you and what your obligations are. Where necessary we can recommend external legal counsel with a strong track record in PII cases in your country. It's important to understand what counts as PII in your jurisdiction, whether the attacker's actions would trigger the legislation, what you have to report and by when, and what obligations you have around future protection for yourself and the data subjects
Data recovery and analysis
When even small computers have terabyte hard drives, the size of the compromised dataset can get enormous. Identifying how much of this is PII, and who the individuals affected are, becomes an enormous task. We have specialist tools that can analyse large datasets and pick out the PII, and extract a simple entity database of individuals affected and what data each has lost. Understanding your dataset is key to managing your risk
We have experience reporting to data protection regulators around the world, and we know what they are looking for and what they really don't want to see. We will help you set up a positive dialogue with your regulators, and support it with technical reporting that demonstrates the facts of the case and helps you manage your liabilities
Our communications team can help you manage and deliver the necessary data subject notifications, and manage the message to the media. When you're dealing with a complex clean-up job, the last thing you want to do is become front page news or suffer a wave of customer anger.
Root Cause Analysis
Our forensic analysis team will help you identify unequivocably how the attack happened and what weaknesses were exploited to gain access. Your attackers already know this: unless you understand it too and close your security vulnerabilities, they'll be back soon to add more leverage to blackmail demands.
You don't want to go through this again. Your regulators want to know you're not going to go through this again. Our technical security architects will work with you to identify not just how this attack happened, but to identify any systemic weaknesses or data management flaws that may leave you vulnerable. Our consultants will help you create a plan of action to ensure the most important vulnerabilities are resolved quickly, and demonstrate to all affected parties that you have the situation under control.