How to respond to a data breach and come out unscathed

Paul Cahill discusses the lessons businesses can learn from Manchester United’s response to their own cyber attack, outlining best-practice tips for how to minimise the business and reputational fallout of such a breach

Customers of high-profile businesses should be able to trust that their personal information is kept safe, and that adequate data protection and security measures are in place – as well as a certain legal obligation to protect that information, and to update immediately if this should have been compromised in any way.  

However, Manchester United’s relative success is the exception which proves the rule: many businesses fall short of best practice in the aftermath of a cyber attack.

The Club has understandably not released much official information about the attack itself or the security measures that it has in place, but there have been reports of the type of steps taken and how those steps might have helped mitigate the risks.  

The Club’s apparent swift action is likely to have a net-positive impact on future brand reputation, with a key tenet of data protection being that companies regularly review and update their procedures in order to ensure that their systems, and the data they hold, are protected to the best of their ability at all times – which the Club did well.

Reports suggest that the Club worked with expert advisors and had rehearsed for the risk. They were able to identify the attack and shut down those systems that may have been vulnerable. Due to the processes that they had in place, it seems that the Club was able to take swift action that prevented the loss of data, thus removing themselves from the risk.

Steps businesses should take to minimise damage potential
We are informed that IT experts at the Club had prepared for this attack by segmenting their data. This meant that affected areas could be isolated in the event of an attack. It is likely that these steps, alongside other protective measures, were taken following the UK National Cyber Security Centre report was released in July, which highlighted the fact that cyber criminals were specifically targeting Sports Clubs. The preparations that the Club had made would have allowed them to react more quickly to the threat and reduce the extent to which data was exposed to the hacker.    

This is something that other businesses, big and small, should learn from.  

Taking swift action is key when dealing with a cyberattack. Locating what systems have been affected and shutting those systems down is the first port of call. A business must then identify what data has been compromised and contact any individual who has been affected by the breach. They should also consider whether the ICO should be informed.  

It is however fair to say that good preparation and awareness of the possible risks is what allows a business to respond quickly when it suffers this sort of attack, and businesses must be proactive when they consider cyber security and data protection.

What local authorities must learn from the Manchester United data breach
It is imperative for local authorities to implement suitable protocols and procedures that can be followed in the event of a cyber attack. It is also important that they understand the possible risks. This should allow local authorities to take the necessary steps to reduce the amount of data that can be stolen and inform any parties affected.  

1 - Understand the risks

2 - Plan suitable safety protocols  

3 - Isolate your data  

4 - Shut down the affected systems

5 - Contact individuals affected

Where businesses fall short of best practice in terms of data safety  
Quite often, data is breached due to human error. Businesses often do not have policies and procedures in place to prevent these types of mistakes. Simply double-checking email attachments or external mail would prevent many data breaches.  It is also important to conduct regular security health checks. Ensuring that security policies are up to date, new risks are assessed and security software is well managed will all help to protect against data leaks.  

It is also sensible to take precautions against reputational fallout following the data breach. The way that Manchester United handled the incident certainly appears to have saved them from reputational damage, and the same steps can be taken by other businesses who find themselves in the same position.  

If a local authority suffers a data breach then the best thing that they can do is be honest with any affected parties about what has occurred, and how they are dealing with things. Informing all parties affected promptly will allow them to take necessary steps to protect themselves (i.e. cancel any bank cards, check credit reports), but will also demonstrate that the organisation understands the seriousness of the issue.   

Businesses should ensure complete transparency when disclosing the details of the breach as that can help them to regain their customer’s trust. They should also be clear about what, if any, steps they have been able to take to minimise the effects of the breach.  

To summarise, forward-planning and risk assessment is key to a business being able to protect itself from a data leak. Whether that be through human error or through a sophisticated cyber-attack, having the relevant best practice in place and ensuring that data is segmented will surely help to minimise the impact. Following a data breach, transparency is key. Go above and beyond in communicating the necessary details with your affected customer base. This will help to protect the organisation’s reputation in the event of a leak, and will ensure that you come out the other side (relatively) unscathed.   

Paul Cahill is Data Breach Solicitor at Fletchers Data Claims.