The first of three hypothetical scenarios examined by a board as part of the AICD’s Governance Summit this week was a malicious data breach.
The initial response to this ‘breach’ was not a smooth one.
In the first five minutes of the scenario, there was confusion about what to do and who was doing what - a crucial time when the CEO could have been in a much better position to assist the board if he and his executive team had worked through some disciplined breach preparation, including preparing a plan in advance of an actual breach.
If a plan had been prepared, the hypothetical CEO would have been able to say something along the lines of “we have a breach response plan, we know what we are doing, roles and responsibilities have been set, timings have been set, we have activated it.” And while all of this activity is going on, the board can focus on the high level public facing crisis issues.
This scenario reminded me that while there was a rush of interest in preparing for data breach notification in February 2018 and again at the end of May when the GDPR was introduced, many businesses may have not revisited the issue since - or their response readiness.
Dealing with a data breach takes some planning and, to reuse a tried but tested phrase, failing to plan is planning to fail.
In a crisis, you need to be able to simply execute and everyone needs to know their role and responsibility.
The time spent by an executive team, either running a scenario or simply going through the plan and allocating roles, is a few hours well spent and more than recoups itself in the event of a crisis.
Holding Redlich is well positioned to assist you in planning for a suspected data breach and assisting to assess if there is risk of serious harm and responding. Even if you haven’t planned in advance, we can help with responses and assessing the options you need to take having regard to legal requirements and the likely view of the court of public opinion. Reputation is a key issue in any breach assessment process.
Author: Lyn Nicholson
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
Dan Pearce, Partner
T: +61 3 9321 9840
Trent Taylor, Partner
T: +61 7 3135 0668
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.
Published by Lyn Nicholson