Lay of the land

The panel began by assessing the current lay of the land, noting the troubling reality that 50% of all UK businesses have suffered some form of successful cyber security breach or attack in the last year. As highlighted by DRD’s Iona Cross, recent attacks involving leading UK retailers illustrate that these incidents are not just about observable operational failings, but also the reputational damage and threat of third-party liability to come.

Hacker collectives, the panel observed, are increasingly more sophisticated operations with their own brands, MO and signature style.

In recent years, cyber incidents and misinformation policies have become commonplace, leading to corporates needing access to specialist internal or external advice. This is increasingly essential in a legal context which has made it harder for UK corporates to defend their reputation through libel suits since the Defamation Act of 2013. This, coupled with the speed information travels and the cross-border nature of many incidents, means corporates need to turn to more creative solutions.

The panel lead the audience through an exemplar cyber incident, which illustrated that not every scenario can always be prepared for.

The scenario

The audience were presented with a fictional data breach that mimicked the types of crisis scenarios the panel had advised clients on. The narrative began with a hypothetical listed UK company facing a hacker-led data breach.

Stage 1: Sensitive data is stolen by unknown hackers, and a ransom is demanded

From the outset, the panel stressed that cyber incidents are not the time for “original thinking”. Established and well-drilled crisis protocols need to be quickly enacted, including the deployment of an incident response team assembled of experienced advisers, who can support the company’s decision making amid high reputational pressure and fluid conditions. Clear cascades of command, signoff and communications must all be agreed

Digital Forensic teams will act fast to prevent any further computing contamination and attempt to profile the attackers. Critically, the response team needs to distinguish compliance obligations against what is strategically desirable, and as statements agreed on day one may be subject to litigations in years to come.

One legal option to consider at this stage is an injunction against the threat actor, mainly to seek the counter the threat that others who are aware of the breach will be tempted to search for the information, or to seek to ensure that third party websites are not used to store the information.

Stage 2: Allegations of financial misconduct against the CEO are leaked, with media now in touch

The panel recognised that this development risks the bifurcation of responsibilities within the incident response group. The CEO may wish to speak publicly to protect their own reputation, but it is vital that official communications remain coordinated and hold the line agreed in crisis protocols. The response group will need to ensure the alignment of all relevant interests, which may require the attaining of further legal representation.

It is vital that media stakeholders tempted to republish the material are informed of the legal risk of publishing stolen or illicitly acquired information This may deter coverage of the allegations where the allegations cannot be verified and the motive for disclosure appears to be to put pressure upon the CEO and the company. An injunction can continue to be considered, most likely on the part of the CEO personally.

Stage 3: An audio clip emerges of the CEO ridiculing the integrity of internal company investigations

At this point, it is vital for digital forensic teams to verify the authenticity of the newly surfaced clip. The team would also be mindful to communicate to media stakeholders the legal risks of publishing stolen or illicitly acquired content.

If the clip is genuine, it is evidence of a systemic failure of governance, and shareholders will justifiably be angry at what is a serious reputational incident. At this point, the panel agreed that it would be wise to refresh the incident response team and establish a renewed chain of command.

Stage 4: The clip is confirmed as fake, but continues to circulate

The fact that the clip is inauthentic means there are a number of legal options to seek to remove it from circulation. Continued processing of inaccurate data can infringe upon personal data rights and, if known to be false, can also be malicious. Other legal weapons include right to be forgotten legislation, copyright or injunctions claims. These are all options available against all publishers, including social media users.

Monitoring, the logging of all executive decisions, and sentiment analysis are all vital functions to safeguard the organisation against a subsequent claim, in which data owners could accuse the company of negligence in their preparation for, handling of, and response to the attack.

Final take homes: A call to arms

In their concluding remarks, the panel stressed to the audience that repeated crisis preparation and simulation was essential rather than advisable. Cyber incidents are not the time for corporates to chance their arm; a specialist team of advisers should be in place to build contingency plans long before you are in the midst of a storm. Attacks are occurring with far greater frequency and there is little excuse or forgiveness for poor planning.