Response Plans With Communications Tactics Gain Importance as Cyberattacks Increase

During an attack, a company's “data is exfiltrated and often" encrypted and locked, said cybersecurity and data privacy counsel Nicola Kerr-Shaw. As a result, not only has a bad actor "stolen [company] data and all the ramifications of that," the company can't access the data either.

“That can be, in itself, crippling,” because “all your customer files, your regulatory records [and] financial holdings” are exposed, for example. At that point, a company often says, "‘We [will] pay ... ransom to stop that data being made public and to regain access.'"

European counsel Joseph Kamyar said that “clearly understanding technical and operational items … [help] inform what the legal and regulatory risks are and actions that [should] flow from that.” Accordingly, fluency with these issues is important in crafting a strong response.

Kerr-Shaw said most data sets contain personal information, which, in the EU and UK, is covered under the General Data Protection Regulation. In the U.S., such data is protected as personally identifiable information (PII). Accordingly, a response plan should include tactics for formulating communications and notification strategies, she said.

Said Kamyar, “When you're dealing with an incident, presumably there's going to be a whole raft of stakeholders that will need to be informed.” Kamyar added, “That may be driven by a range of factors, whether that's the legal requirement for impact data subjects, contractual undertakings for vendors, regulatory obligations for consumers, or for wider [public relations] concerns.”

Because of the frequency of attacks, Kerr-Shaw said, “It is vital to have a [communications] playbook drafted in advance.” This includes ensuring a consistent message, processes for uploading staff and having an idea of what information should be kept confidential regarding a breach or attack, she said.