Speaker 1: In a time of crisis, like a data breach response, that's when culture comes to the fore and leadership, true leadership, shows its true colors. Today we're going to speak about the management response in respect of incident responses and data breach. So let's ask the question first, should a data breach be notified? This is different to the legal question of whether a data breach response must be notified. Let's assume for a moment that you've gone through that legal analysis and it has left the management with a choice, notify or not. What should you do? It's a true question that goes right to the heart of the culture and identity of an organization. Now I would put it to you that in those circumstances, the right answer is that you should notify. And the reason for that is many dimensions to it. Let's look at some of those dimensions. First look at it from a positive and from a negative point of view. If you look at a data breach nowadays as something you know is going to happen rather than something that might happen, the only question is when. So you know there's going to be a particular incident that when it occurs is going to be a serious issue for your business. And then the question for you as a management of that business is how you are going to respond to that. Are you going to respond in a way that is positive, that supports the brand identity that you have, that shows the care that you have for your customers and for your clients? Or are you going to respond by trying to hide that and trying to avoid the consequences? So when a data breach incident happens, it is a crisis, but it is a moment when management can show their ethics, accountability, and culture in how they respond to that crisis. And if that aligns to brand reputation, then you are not compounding the error that may be at the root cause of the data breach. In fact, you're showing the good adult response necessary to bad things when they happen. There's also a more negative way of looking at this, which is in this day and age, it is very unlikely that any data breach of any particular magnitude is going to remain a secret. So in circumstances where there is a significant data breach, again, it's more a question of when that comes into the public domain. It may do so by virtue of a regulatory notification. It may do so in the course of an investigation or inquiry into another matter where it becomes disclosed. It may do so because of a disgruntled person within the organization or an affected data subject outside. But as sure as night follows day for any significant incident, it is likely to come to light. And how is that going to play in the court of public opinion? Perhaps there are positive and defensive reasons why having a culture of proactively responding to data breaches with the primacy of the protection of the interests of data subjects at the heart of that policy is a good culture and principle to follow within an organization. Putting that to one side, in a circumstance where a data breach response is going to be notified, whether because it's required by law or regulation, or whether it's because that is a culture and the policy of the organization itself, what are the priorities that management should follow when making that response? Well, there are three key priorities, speed, accuracy, and transparency. So let's look at speed. In many regulatory regimes, there's often a time frame within which a notification needs to be made, and that time frame can be as short as 72 hours under GDPR, or sometimes longer to 30 or 60 days. But in many circumstances, there is a time frame within which you are required to operate by law. That shows that from a regulatory point of view, the regulators believe that speed in response and letting the regulator know and letting the affected people know is one of the primary concerns. So if you have a serious data breach, and it takes you from March until October to respond, even though you might be putting accuracy at a higher level, the fact of that long delay in letting people know shows that perhaps the priorities weren't quite as well thought through as they should have been. So speed is important, but accuracy is important also. If you notify certain particulars today because you want to get a notice out today, and then tomorrow more information comes to light that either contradicts or materially changes the scale or the impact of the announcements you have already made, then you're getting things wrong. And getting things wrong in a public environment can be damaging. And there's a tension between those two. You need to be fast, but you need to be correct. How do you approach that? How do you deal with that tension? Well, in thinking through the systems, the processes, the procedures that you have, and the training that you've gone through in advance of an incident response, you would hope that you would be receiving reasonably accurate information in a timely fashion to facilitate you in terms of making an accurate or sufficiently accurate report. What you're looking for in terms of the information that is coming through are the key elements that people will be concerned about. What is the kind of data that has been lost or breached? For instance, is there financial data, credit card data, health data, particularly sensitive categories of data? If so, that is something that people will need to know straight off the bat. In what geographies are things affected? So you may need to look outside of the domain where you primarily operate and look to other geographies, to other countries, and see how they have been affected and see if that can also be recorded. What kind of records? What's the scale and the size of the records that have been damaged? There's nothing worse than saying that there is only a loss of a certain amount of data records, where a little time later you have to notify the fact that in fact it is two times, three times, four times, or some multiple of that number of records that has been lost. So you need to think about the core and the critical elements, and if you get those substantially correct, then it's time for you to make that notification in respect of what is substantially correct. You can add the caveats and qualifications that it is based on present information, and that information might change. Another thing in relation to speed and accuracy is also in terms of the readiness of those around you in order to be able to respond with you. So if, for instance, you provide hotline numbers for people to raise questions and receive responses in respect of how they are individually affected, well those hotline numbers, they need to be staffed, and the people who attend them need to be trained in terms of how to respond, because if you make that available and then lines and calls are not responded to, that does not help you in respect of a management response. That's one example. The other tension that's at the heart of the management response is the tension between being transparent and showing that you're being as open as you can in respect of the information that's available to you, and the tension between that and legal liability and making admissions that may increase legal liability in terms of subsequent legal proceedings or investigations, and there is a balance to be made there. In some ways, the management needs to have a clear view and a clear philosophy about whether they're going to put transparency and looking after clients and customers and looking after any loss that they may incur over admissions that may result in particular kinds of liability. One of the things you can say is that in a regulatory response, generally, principles of transparency and accountability are positive factors that are taken into account in respect of regulatory investigations. There's no right or wrong answer about these. The tension between transparency and legal liability, the tension between speed and accuracy, it's very difficult to get a 100% outcome on all of those parameters. You're looking for a good balanced scorecard on this, and if you have had the training and the systems in place and the trial runs in respect of how you approach these particular issues, if you have an incident response team that is fully engaged and ready to support in respect of an incident when it happens, then you're ahead of the pack in terms of being able to show the culture, the accountability, and the ethics that an organization would wish to show and demonstrate in their management response.