How Can Boards of Directors Communicate Rapidly After a Data Breach?

Boards of directors must assure notification after cyber attacks. Nearly all data protection regulation across the world calls for rapid notification of both the relevant authorities and the people and businesses affected by the breach. There are heavy fines imposed for the failure of an organisation to make such notification.

The UK is no exception: According to the Data Protection Act 2018 (which transposes the EU General Data Protection Regulation into British law):

• “The law introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
• If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
• You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
• You must also keep a record of any personal data breaches, regardless of whether you are required to notify.” Notification must be made to the Information Commissioner’s Office.

Directors should be aware that they could face criminal charges if the proper steps are not taken to report breached data to its owners in time. Then there would be substantial financial consequences, as the company would have to reimburse anyone whose data was used for access to bank accounts, brokerage accounts, etc.

The global average cost of a data breach is up 6.4 percent over the previous year, to US$3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 per cent year over year, to US$148, according to the 2018 IBM-Ponemon Institute study.

Boards must establish plans for data breaches

The assured way of controlling risk in a data breach is to have a response plan in place.

“A data breach response plan provides a roadmap to follow when a breach is discovered. It is a time-saving and stress reduction tool. Once your plan is in place, you won’t have to waste time and energy deciding what to do each time a breach occurs. You simply follow the steps that you have established in advance. A well-thought-out response plan can help you avoid missteps you are likely to make when acting in crisis mode,” writes security expert Marianne Bonner.

The first step is to establish where the risks lie, and how to protect against threats. To do this, cybersecurity experts should review every aspect of your IT systems, locating vulnerabilities and putting in the necessary protection. The “WannaCry” ransomware attack was so successful only because organisations did not plug a vulnerability into Windows for which Microsoft had provided a patch months earlier. Boards should take steps to ensure that all possible protection is in place, and that all necessary updates have been installed.

Another important step is to educate the entire workforce on the importance of cybersecurity. The vast majority of breaches occur because of human error within the organisation that has been attacked.

Next, IT security must regularly update system protections as threats evolve. Hacker activity is unending, and criminals evolve tools to make cyber-attacks ever more dangerous. Upgrades for protection against these threats must always be timely.

Finally, there must be a thorough inventory of all data that the company holds, with personal data stored according to the regulatory conditions. By having all data carefully tracked, your IT staff will be able to make the necessary notifications to the people and businesses involved.

Cyber attacks and when the data breach occurs

Of course, a data breach may occur despite all of these precautions. In fact, the chances are still good that one will take place – it is impossible to anticipate every kind of threat.

To be effective, a data breach response plan should include the following:

• A definition of breach
• A list of response team members
• The action steps for handling the breach
• A follow-up procedure

When the breach happens, the data breach plan should involve notification to the chairman of the board, the general counsel and the CEO immediately. At the same time, the IT staff should be prepared to hunt out the breach, stop it and determine the extent of the damage incurred.

Management should take steps to notify all business partners who may be affected by the breach. Reaching supply chain partners in time may save them from damage and cut costs to the business itself.

At the board level, the general counsel should work with the board members and management to determine what laws or regulations are applicable. The board should determine how to frame communication to the press about the breach.

When the extent of the breach is determined, management should immediately notify the Information Commissioner’s Office (there is a hotline in place for this purpose) and a team member should be in place who manages the process of notifying any people affected.

During a crisis of this kind, the need for secure communication among board members and management, as well as access to relevant materials, is critical. A high-quality board portal provides the secure channels of communication and library of information that is needed.

Diligent Governance Cloud: A reliable tool for achieving compliance

The Governance Cloud, the only integrated enterprise governance management solution that enables organisations to achieve best-in-class governance, is an ecosystem of software tools that digitises the various activities and tasks for the board of directors. As organisations grow more complex and regulations more stringent, the scope of governance responsibilities evolves. The Governance Cloud allows boards of directors to meet the demands in the boardroom and beyond with the ability to select the products they need that help them perform their best and work within their allotted budgets.

Governance leaders, executives and board directors rely on the industry-leading Diligent platform for the most secure and intuitive solution to board material management and collaboration. Diligent Boards™ board management software stores a board’s agendas, documents, annotations and discussions within a secure board portal. Company Secretaries and board chairs can use the portal to put together board books in minutes. The portal also has designated virtual rooms for committee work. Company Secretaries can designate permissions for users to access various areas of the portal in order to avoid unnecessary problems with confidentiality. The “Manage Meetings” feature consolidates board directors’ contacts and calendars, as well as meeting logistics. The program is a secure and intuitive solution for managing board materials and collaboration. Avoid using unsecure communication tools such as email to mitigate the risk of breaches, leaks and misdirected messages with a secure messaging tool that’s quick to install and easy to learn with Diligent’s Secure Messaging Tool.