Everybody's Got Something To Hide, Except For Me And My Incident Response Plan by David Cook

i'm david cook i'm from a law firm called dla piper i've got a job title legal direct all this sort of stuff that doesn't matter what what i do day to day though is deal with incident response and we act on behalf of the information commissioner's office and against the information commission's office with cyber security data breaches um most of the matters we deal with i i can't discuss publicly obviously but it's public knowledge that we act on behalf of soloins for the solarwinds breach so it's that sort of stuff um and so it means that we have lots of contact with organizations that you know the worst day of the cso's life uh cyber

security incident and the stuff that i tend to advise on comes either within the network and information systems regulations or the gdpr the dreaded gdpr it's not just about cookies and marketing it's also about other stuff which i which i find quite interesting so let's go through it um what i think is really interesting is it's not going to be death by you know powerpoint and death by statistics but just bear with me some interesting ones here so every year uh dcms runs a cyber security breaches survey and they ask big organizations about what they think about various things what their experiences are and every year i look to see what's going on and every year these stats surprise me

and so this year's one 40 of businesses reported suffering a cyber security breach or a successful attack within the last 12 months a quarter suffer them once a week uh and 77 percent of businesses say that cyber security is a high priority so far so good it's all the sort of stuff we imagine it's the case and we probably see as the case every day only 31 of businesses have got an instant response plan so there's a disconnect there and it's something i come in contact with all the time and you'll see yourselves in in organizations if if you work in relation to incident response which is there's there's money plowed into information security security but that

doesn't always translate into where that funding needs to go the most and incident response plans and understanding what an organization is going to do in the event is a really obvious thing but vast majority of organizations don't ever actually think about it so we'll come to it there's very strict timelines under the gdpr you've got to report a breach within a very set period of time otherwise you have to explain why you're out of time now the worst possible time to work out how you're going to deal with a breach who's going to sign off on telling the information commissioner if it's over weekend who's going to speak to the lawyers or the external forensic i.t

provider who's going to speak to the board are the board going to get together over zoom or how they're going to come into the office and if it's over zoom how does that work if the network goes down all those sort of questions nobody thinks about upfront they think about that in the event of a breach in the middle of this you know the the blazing and white heat of into the response you know that sounds over the top but actually there are times when caesars are crying during this it has bad bad times so do all that work up front that's easy to say isn't it the reality is vast majority of organizations don't and and

that's that's what i want to tell people to do i've told people to do it for five years and the stats are not changing so i'm not affecting the results of these surveys but i think this this is an interesting topic so what do we see in reality and you know you guys can be familiar with this stuff but on the left there we've got the events so the threat actor establishes access to a network we've then got the detection point so it's recognized and it's known as an issue and as that's then triage we've got reporting for the regulator or data subjects data subjects is a gdpr term that means the individual is involved

we've got containment so vulnerability and threats removed and on the right remediation now in reality this this phase this latter half that's all within the same thing you know once you report the regulator they then want to know about all this other stuff when i say regulator i mean the information commission's office but that could also be the case for the fca if it's a fca regulated firm and that could also be some of the utility sector regulators so regulators are on top of this straight away because they see there's an issue people are at risk but what does the gdpr say about this now look it's not going to be legal lecture but the difference between event and

detection so when uh when the threat factor structures access to the network when it's spotted that averages out around three months now the gdpr doesn't explicitly talk about what that stage should be but it does say that organizations should know what's going on the information is public lectures

[Music]

[Applause] [Music] it takes three months for an organization

um [Music]

telling the

you know hours

so again once an organization works out it's happened

[Music] says two percent likewise [Music] wrongly that these regulations the gps says

[Music]

[Music] in your mind collaboration so if you're on the practice and then they ask before you introduce foreign

[Music]

and in order to demonstrate that we have appropriate security in place we've got these plans to contain and remediate the issue and that demonstrates your uh position around cyber security and your your posture if you come at the information commissioner and say this issues happened it was a criminal it's not our fault we're not going to do anything else because what more could we have done the information commissioner will go mad and you will get an audit and you will get technical teams asking you lots of difficult questions if you go and say we know what the issue was multi-factor authentication was set but we could have had uh localized access control a more sophisticated picture very

sophisticated even more sophisticated picture that then you can see how the information commissioner or whatever regulator could be more relaxed about that but but the point is that the real issue is the event to detection that's too long three months is too long but we're not going to change that very quickly that's a cultural thing cyber security culture is a very critical task but detections are reporting you see that around two weeks after insulin detected it's been reported and organizations are routinely out of time and we have to find a justification or a way that we can say the point of awareness was perhaps at a different time that reflects better on the organization but the reason that

protection to reporting time is so long is because organizations don't know what to do what information do we need who's going to give it to us and who's going to put their neck on the line and sign off on this that is what takes the time and it's those questions that can be done up front and in other more mature just um jurisdictions around cyber security so particularly in the us so california had the first mandatory breach notification law in 2001 so americans are good at this stuff and what they have there is routinely have instant response plans in place and all this sort of exotic language like wargaming and playbooks and things that make sense on paper

people really doing practice but in the us they do here they don't and i think that this is an area that if it's tightened up will will move organizations from a position where they are rushing to get the information on the door and making mistakes and inviting regulatory scrutiny and data protection compensation claims and all the bad stuff you see in the newspapers you know i despite my accent work in manchester and we had a large retailer a supermarket had a breach within 24 hours there was a full-page advert in the manchester evening news saying have you been affected by this data breach you can claim 5000 pound compensation it was a a figure out of thinner but a

compensation class action and again look to the us for what compensation class action looks like we're going to see the same sort of thing developing here and we are some of this stuff you know the the law in in the black letter law and paper and what we see in practice could be different and regulatory fines will come on too and four percent of underglow will turn over we don't see anything like that in practice but that compensation bit we are seeing that when we're seeing a growing culture around compensation following the data breach and that is the bit and this links in with that the last a bit i think is scary so gdpr

we got all that rubbish through our emails a few years back will you consent to allow marxism to continue and all this sort of stuff the gdpr's about much more than that but and it's this bit in the middle here so gdpr talks about accountability being able to prove compliance from a cyber security perspective it's being able to show how your security was appropriate and how you can justify it so it's stuff like have you had audits have you had pen tests have you had a program of continuous improvements have you evolved this over time can you demonstrate that you have appropriate security what's in the market is that a sign to end

[Music] i mean this session's on fire

all right let's give a recap it looks like there's more people in before no that's great so what i was saying right was that event point so the threat act that gets on the network to detection takes about three months and that's massively longer than it should be and from detection to reporting which should be 72 hours because the law says it gdpr says it that takes about two weeks on average and what i'm saying is the solution is incident response plans people should plan and understand what they're going to do who's going to be the person who calls in the lawyers if it's going to happen who's going to be the person to call in the external

providers if it's going to happen who's going to be the person to sign off who's going to stick your neck out right all that stuff adds to what is taking two weeks and should take sense to us and could do if it's done in a meaningful way where people have thought before it happens how they're going to respond to this sort of incident so so that that's where we were up to and what i was saying was all the bad stuff about the gdpr comes out as a result of it so the gdpr talks about accountability you're going to be able to demonstrate compliance in document form they'll be accountable you know they'll show how

and why you're accountable and then there's other stuff here which you know probably don't need to go into any great detail but data protection by design and default this is a new system we've got a big data protection from the start privacy impact assessment we've got to consider what the privacy risk is and try and reduce it transparency data subject right all this sort of stuff and this is what organizations are spending money on spending money on stuff like how do we deal with data subject access requests transparency how do we tell people what we're doing privacy impact assessments so a document that sits on a computer somewhere saying that when we've rolled out this um exposed everything to the

cloud we've thought about what the impact is all this stuff beneath the hood and hidden away and then they get pierced by those three things on the left there so the subject access request goes wrong and you get grassed up at the bottom the regulator's doing an audit on your sector and the regulator's doing an audit on ad tech at the moment so they're asking lots of questions and getting into the meat but in the middle ear personal data breach you have to go to the regulator you've got to tell them we've got some bad stuff going on and then they ask questions which can improve all this stuff so all of the the money that's gone into gdpr uh

remediation and preparation is then potentially undermined by a personal data breach and i would say if you go to the regulation and say we found out about this two weeks ago we're only telling you now you're already in a defensive position and you're much more likely to ask these questions because the consequences are there's criminal offences computing issues act but it happens more than you probably realize uh civil litigation so compensation claims and a regulatory enforcement bit so fines of up to four percent of annual global turnover for the breach but then also finds up to two percent of annual global turnover if you report late they can be combined you can have uh six percent for that reason

and we'll come on to that we didn't see any of this stuff but it's possible and if we look further down the road i think that this sort of stuff is coming up and the reason is is this some nice little things that are flashing let's go on so over time we are seeing more penalties issued under the gdpr so by the data protection supervisory authorities in this country the information commissioner's office so you can see in the phases so gdpr came in in may 2018 and so at the beginning there are very few penalties and this is not cumulative this is for each period alone april 2019 to march 2020 big jump and then an even bigger jump there i

think so there are more penalties coming up within these time periods than ever before um and the value of them sort of i mean strange that that even though there were more penalties for those two initial phases actually the value didn't really go up but suddenly the april 2012 march 2021 massive massive increase what does that tell us because people are constantly critical of the information commissioner's office because they've issued relatively few penalties but they're doing a lot of stuff there's a lot of investigations the ico started life and it's in manchester where i'm in manchester so you know these guys they started life almost like an ombudsman and nudged they were nudging you towards compliance and the

gdpr says you have teeth you've got to bury your teeth you've got a bite on people they're not really used to that but they're doing a lot of stuff behind the scenes now what you can see here is across europe and increasingly in the uk the regulator is not only there in a team but also cruising down with some fairly fairly big penalties but what's interesting is the information commissioner's office you know what we've got there is the fourth highest penalties imposed in europe and the uk for gdpr are uk information commissioner's fines so so we're not behind the curve by any event it's just that they're all clustered in two or three penalties which is which is

not great uh and the top ten largest fines imposed we've got their france number one that's google 50 million and it goes right down there but you can see fourth and fifth we've got uk penalties against british airways and marriott and both of those cyber security failings were uh british airways uh well and married or both legacy systems that were no longer looked at and obviously believe something can you neglect it security is not patches aren't implemented the security is not updated over time you can see how things go wrong [Music]

the issue arising and the the time between the issue [Music] yeah yeah it's not a legacy system you're right in in a penalty notice it refers to a legacy system so that there may be other points there that i'm not aware of i i guess the point is that the penalty was imposed for cyber security failings whatever they looked like and there's a very good point there i think that forced his fortitude days as you know that's justifiable there are other issues and the penalty notice is a long notice and there's quite a lot of lookout there but the point is that the regulator although people criticize it for relatively few penalties what we're seeing in practice is the

penalties is imposing a large and there are a lot of open investigations we know that because we act in a lot of these sorts of cases and the regulator's got a big sector or focus at the moment looking at bad stuff that's going on so after the cambridge analytica and brexit investigation they then began to look at data misuse in a much more holistic way but they've got all this stuff coming down the track as well and we know they've got a lot of open investigations for big cyber security incidents that you've read about in the news but um so going back to the beginning uh and probably a good place to stop is we've got here

that only 30 percent of organizations 31 organizations have got plans for this i say by thinking about this organizations are not only in a better state to respond if there's an incident but probably also see what those failings are if the person is going to sign off on this as a ceo does the ceo need to be briefed on cyber security what the issues might be if you're going to call lawyers and i talk about lawyers a lot because i'm a lawyer but if you're going to talk about third parties you've been struck third parties have you thought about who they are have you thought about if the it director is going to be on holiday who's

going to sign off in his absence what happens if your network goes down how do you communicate with each other do you have a second communications network through phones or whatever it might be so i think that's quite an easy step to take instant response plan in some form or another is probably a good idea okay we were cut midway there by the fire alarm but hopefully that's enough of a whistle-stop tour that's a you walk away ready for a beer and happy thanks very much any questions

thanks i don't mind having questions at the bar or here

um

uh yeah so that's a good question so what what happens is and this this is a lawyer thing i suppose you have open communications which can be referred to in court or in public and you have without prejudice discussions so they are discussions which are aimed to negotiate the settlements which aren't public a lot of the stuff in this country happens behind the scenes and that without prejudice which is not made public however there are large monetary penalty notices which give lots of information to what went wrong and they're worth looking at they don't give granular detail but certainly something you can wave in front of the ball but in the other jurisdictions so you've

this is a problem but you know the french finds a lot of information some of the jurisdictions don't publicize the penalties at all so it varies but if you want to scare your board and if you want to release funding and raise awareness there's genuinely racist british airways penalty notices and the married counselors are worth reading they do give quite a lot of information 86 pages 100 i've only read half of it okay 86 pages tough going yes [Music]

um [Music]

[Music] the fourth biggest law firm in the world and it's easy to be seen to be looking down on some of these street firms and i wouldn't want to do that but where there are uh justifications for claiming compensation from these organizations there are law firms who are looking for that business and in the aftermath of a big incident they frequently have google adwords and facebook adverts and take adverts out in in newspapers so they're easy to come by i think it's i think it's quite scary because there's lots of these claims going on they settle for about two thousand three thousand pound a pop for each claim so if there's a big incident that affects hundreds of

thousands of people it could wipe the company out you wouldn't be allowed to also but you can see that you see the there then with the fat but it might be a good sign of the future maybe in the absence of regulatory enforcement that is the the mechanism by which cyber security is enforced in a way maybe i think it was a question

okay

[Music]

it is whatever it looks like it's what you do in the event of a breach i would say a policy is you know an organization's policies we will be transparent we will report the regulator we will cooperate with authorities and a plan is what you're actually going to do behind the scenes and a runbook or a playbook is how would it work in practice but whatever the distinction is you know it's planning what you're going to do in the event no matter what you call it okay

so the only and it was how do i see organizations change their approach to cyber security insurance the biggest thing is ransomware they are very keen to pay the ransom if they're insured and sometimes the insurance wants to pay their answer but besides that i don't i don't really see that that there's much of a difference the insurer is breathing down the next and go be given updates and it slows things down but there isn't actually much just a ransomware [Music]

i mean i'd love to give you a legal lecture a bit late in the day but but you have to report to the regulator once you are aware of a personal data breach what does a word mean and that that's the bit that i you know look at almost every day so it's once you become once you have positive evidence that there is an insulin which affects personal data and i think i think that's the point with that awareness when is it crystallized so that's a difficult question uh

[Music]

yeah so so for those who don't know the information commission is being replaced with the new commissioner because their terms come to an end so you're not nothing suspicious but there's a new influence commission who comes from new zealand the old one came from canada um is it gonna be a difference i mean it's not just the person at the top who defines the tone but department for culture media supporters not intervened but exerted pressure on the ico and and so i think one we may see more regulatory action but two dcms seems to want to be more supportive of of uk businesses and this idea of a digital strategy so it's going to be you know be more

aggressive but against the right sort of organization so taking away with one hand given the others so i don't know the answer uh yeah so so i mean we we are in the midst of all this stuff so you can't comment too much but but there's supposed to be changes about how the gdpr is implemented and what it means in practice and whether you're gonna do away with some of these impact assessments ideas and we'll see how it plays out i think gdpr is pretty good you're all probably sick of it because of the media reporting about marketing emails when you look at it from position of protecting data and reducing risk i think a lot of that makes sense

but it's not fleshed out because not in too many cases yet i think we've probably got time for maybe one more question then what yeah well not by you but uh yeah okay uh so what one more question should we do a lottery for it okay no more questions then we're done