Your organisation has been the target of a cybersecurity attack. Now what do you do? What can you do?
Worldwide governments and organisations are, in the face of increasing numbers of cybersecurity incidents, turning their focus to how to manage cybersecurity threats and deal with the aftermath of cybersecurity incidents. For many organisations, the most common cybersecurity threat is the risk of confidential information being accessed and potentially misused by an external and/or adverse party i.e. data breaches. One of the key challenges in responding to data breaches is that data can be taken from one or more jurisdictions, and moved very quickly to other jurisdictions. The cross border nature of incidents can make investigating a data breach, identifying your various obligations in relation to the data breach and identifying your options for dealing with the data breach, a very complex and daunting process. This is especially so because speed is almost always a critical factor in an effective response. In the Asia Pacific region, recent years have seen a wave of new cybersecurity legislation, government established bodies to regulate or monitor cybersecurity and guidelines/reports being issued by governments and regulators. For example, in 2015, Indonesia and Singapore each introduced cyber agencies, Japan enacted the Cyber Security Basic Act and the Australian Securities and Investments Commission released a report on cyber resilience. For a number of countries in Asia Pacific, laws or guidelines on these issues are being formulated for the first time. In addition, countries such as the United States, where the Department of Justice released in April 2015 its “Best Practices for Victim Response and Reporting of Cyber Incidents”, are adding to already existing systems of cybersecurity regulation. Despite the increased regulatory activity, there is, unfortunately, no unified approach to the regulation of cybersecurity or the potential legal remedies available in the context of data breaches in the Asia Pacific region. Depending on the jurisdiction, data breach incidents may involve, in addition to laws regarding cybersecurity, obligations under privacy laws, employment/labour laws, equitable rights and obligations, the law of equity, corporate governance, fiduciary duties and industry or sector specific regulations. In some jurisdictions, laws regarding state or national secrets may also be enlivened, especially when data is suspected to have been transferred out of the jurisdiction. Accordingly, local knowledge of the obligations in each country and how each relevant regulator or court operates in practice is essential to navigating a response to a data breach incident and understanding which legal remedies may be available and which will be most effective. Using this knowledge, we are able to assist our clients to investigate data breaches, to identify reporting obligations, to discuss strategies to minimise further disclosure of the data and mitigation of loss or damage, and to identify, where available, legal remedies to recover the data or loss associated with the data breach. In this Guide, we:
- set out, in the remainder of this chapter, an outline of the preliminary assessment we recommend should be undertaken by clients when confronted with a suspected data breach; and
- identify, in the remaining chapters, for 13 countries in the Asia Pacific region, the position in response to a number of common issues which arise in dealing with a data breach incident. As you will see, while some jurisdictions with similar juridical history have similar processes, the type and availability of legal remedies can vary greatly across the region. In order to provide the broadest coverage of key jurisdictions, in addition to input from eleven jurisdictions in which Baker McKenzie has offices in the region, we have also been very ably assisted by Kim, Choi & Lim in Korea and J. Sagar & Associates in India.
Effective triaging: conducting a preliminary assessment and determining next steps
Our advice to clients when faced with a suspected data breach is to act as quickly as possible to perform a preliminary assessment or triage of the situation.
Determine the nature of the compromised data and severity of the breach
That preliminary assessment should include identifying the nature and level of sensitivity of that data in terms of: What information does the data contain? Is the data purely internal or does it include information belonging or relating to third parties? Does the data include personal or financial information? What are the risks involved? Does the disclosure of the data present any risks of:
- identity theft;
- financial loss;
- humiliation of the data subject;
- damage to reputation;
- loss of business opportunity;
- loss of confidentiality of information which was a trade secret; or
- to personal safety; and
What are the legal implications? Does the disclosure result in any criminal, regulatory or contractual implications? Is there an obligation to provide a notification of the breach? The following guidelines provide further assistance in conducting an assessment of the severity of the data breach.
DATA BREACH ASSESSMENT GUIDELINES
By considering the list of questions in these guidelines, you should be able to analyse the severity of a data breach, the possible consequences of the breach and identify your potential next steps. Click here to view the Data Breach Assessment Guidelines
Determine where the information is now and what can you can do in that jurisdiction
As can be seen above, one of the indicators of a severe data breach is when the compromised data is suspected to have left the home jurisdiction. Determining whether that has occurred will usually involve cybersecurity professionals using whatever means are at their disposal and appropriate in the circumstances to try to, in the first place, identify the details of the device used to access the relevant systems (the “primary hacking device”). In many cases the location of the primary hacking device is: (a) determined to be in a particular foreign jurisdiction; or (b) not possible to be immediately identified due to the use by the perpetrator of a cloud provider (also located in a foreign jurisdiction) as an intermediary. If, due to the severity of the breach, further action needs to be taken at that stage to continue to trace the data through to the perpetrator of the breach (including through an innocent cloud computing provider), a number of important questions arise as to the legal processes and procedures available in that jurisdiction. In particular, before taking further steps in a foreign jurisdiction, you should ask:
- Can further information be obtained if one of the way points is in another country or in an unknown location in the cloud?
- What type of legal action, if any, can be taken?
- Who has standing to take legal action?
- How easy or difficult is it to get relief needed?
- Are there any other legal issues to be aware of before commencing action?