Protecting the Enterprise

The Day After: Recovering from a Data Breach

Today, data attacks are a fact of life, which makes building your organization’s resiliency and recovery capacities more important than ever. Successful recovery requires a coordinated effort across the Enterprise.

Data breaches are ubiquitous, with high-profile incidents occupying an ever-increasing amount of space in the news and on social media. They are on the rise too—according to FTI Consulting’s Resilience Barometer 1, the number of G20 companies impacted by a cyber incident rose by 6 percent in 2021. While some industries are more susceptible to cyber-attacks than others, it’s safe to say that for most organizations, experiencing a data breach is a matter of when, not if. Although data breaches are increasingly common and can occur due to factors that are difficult to prevent, such as malware or insider threats, organizations can firmly command how they manage their response. A swift and transparent response to a data breach has become a trust differentiator between businesses, and that response – rather than the breach itself – is often what a business is remembered for in the public eye.

From a compliance perspective, organizations that operate across the Middle East and North Africa (MENA) region will likely be required to report to authorities under multiple jurisdictions and according to various data protection and sector-specific laws across the UAE, Qatar, KSA, Bahrain and Egypt — making the notification process an onerous task and one that requires a detailed plan of action combined with technology. Further, organizations face strict timelines to report data breaches, with many MENA data protection laws requiring notification to authorities within seventy-two hours or less.

Establish Your Plan

A key starting point for response management is to document in detail how the organization will respond to an incident, both suspected and actual. Important elements of a robust incident response plan include:

  • Containment of the incident. Experienced security professionals must be involved in breach response planning to provide guidance on how incidents will be identified and contained. This includes investigatory techniques and steps to eradicate any malicious actors or malware that may still be in the organization’s systems.
  • Alignment with the organization’s data classification policy. This will support information security efforts and help identify the sensitivity of data involved, so that the incident can be effectively categorized. The categorization should then guide initial response actions, as well as subsequent steps, especially if the breach occurs in more than one jurisdiction. Organizations can also refer to their data mapping or records of processing activities to help determine the sensitivity of the data involved in the incident.
  • Delineation of steps involved in responding to a breach. From the identification of the incident, through post-breach analysis, the individuals and teams responsible for key actions and escalation points, including external advisors such as technology partners, insurers, legal counsel and law enforcement, should also be clearly defined. It is vital that a multidisciplinary team be established to meet at critical junctures, make decisions and proactively determine the strategy for managing a breach.
  • Integration of communications outreach. Clear and frequent communication with regulators, shareholders, data subjects and employees is a critical part of any incident response plan. Legal, compliance and privacy professionals should work with crisis communications experts to establish the guideposts for how communications will be handled and escalated during an incident.
  • Inclusion of simulations. An incident response plan should not be seen simply as a compliance tickbox exercise and must rather be viewed as a document that guides an organization’s overall strategy and culture toward incident response. To refine the plan, teams should conduct annual simulation exercises involving the breach response team, which will both test the efficacy of the organization’s response and help the team prepare for an actual incident, as well as identifying areas in need of updates based on the evolving threat landscape.

Leverage Technology

Many international data regulations impose stringent notification requirements on organizations, which include obligations to report personal data breaches to data protection authorities and impacted individuals within strict time limits. However, reporting a data breach may not be required in all instances, and in most cases, will only be required when there is a risk of harm to individuals as a result of the breach. Discerning what data may have been exfiltrated in a breach in order to make an accurate assessment of the risk of harm to individuals is perhaps the most complex element of responding to a data breach. When large volumes of data are involved, and without the use of carefully configured technology, it can present a significant cost and headache for legal teams.

While no two breaches are the same, technology can enable businesses to quickly collect, transfer and analyze large volumes of data that human reviewers would struggle to complete within the same stringent timelines and to the same standards of accuracy. Technology can also help counter traditional human challenges by enabling quick and accurate review of an array of emerging data sources and documents in multiple languages.

Careful configuration of machine learning and artificial intelligence tools can support automated analysis of large quantities of data. This can provide businesses with critical insights to identify what data has been exfiltrated, the jurisdictions in which the breach has taken place and the individuals who may need to be notified of the incident.

Technology can enable organizations to quickly make sense of a breach and provide legal teams with fast and accurate insights to inform their legal and notification strategy. This critical intelligence can be the difference in meeting regulatory notification requirements under strict timelines and upholding trust or becoming the next target of severe public scrutiny.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.