Joe Hancock, Partner
MDR Cyber
Hello everyone, I’m Joe Hancock, I’m a non-lawyer Partner here at Mishcon de Reya, I run the Cyber Security practice. Welcome to our latest Dispute Nightmare scenario where we provide practical tips on our real experiences across the disputes practice. If you have any questions, if you could pop them into the Q&A function and we’ll try to get some of those answered by the panel as we go through. If you have any technical issues, if you pop that into the chat box or potentially if you try logging out and rejoining or sometimes joining audio only helps. And there will be a recording of a session for everybody who signed up, whether they were here or not. So, just to introduce the scenario. What would you do if your data was leaked on the dark web? This is unfortunately commonplace for many people now, you see reports in the media and also on leak sites themselves. It’s the idea where the first thing you find out is maybe a tweet, maybe some social media posts from an attacker, maybe somebody calling you and saying hey, we’ve seen this online and some data has been taken from your organisation posted out there. What do you do about it next and that’s what we’re going to explore today.
I am joined by Emma and Nigel, who I’ll ask to do a quick introduction in a minute but as I said, I’m Joe Hancock, I’m a non-lawyer Partner here at Mishcon and I run the complex investigation cyber security practice. Emma and Nigel, if you’d like to say a little bit about yourselves. Perhaps, Emma first, then Nigel.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
Thanks Joe. I’m Emma Woolcott, I’m a lawyer Partner at Mishcon de Reya, I Head the Reputation Protection and Crisis Management team. I’m a litigator, specialising in defamation, privacy, harassment and contentious data protection and I advise businesses and executives on ways to mitigate against and handle crisis situations.
Joe Hancock, Partner
MDR Cyber
Thanks Emma. Nigel?
Nigel Pask
Chief Information Security Officer, SCC
Hi everybody, I’m Nigel Pask. I work for Specialist Computer Centres. I am the CISO for the EMIR region, so I take care of all of our security privacy, ethics, ESG and data for our European entities.
Joe Hancock, Partner
MDR Cyber
Thank you, Nigel. And so what we’re going to do today is, we’re going to walk through the first 24 hours, talk through then the next three to five days, what happens afterwards and then talk kind of longer term and try to really bring the scenario to life and also share some of our experiences. When you get these initial notifications, when something like this happens, it’s a kind of confused time, there’s often lack of information, there’s a lot of ambiguity, you’re not really sure what’s happened, you don’t know whether it’s kind of real or not and what we’re going to do here with this scenario is really focus on the more strategic and business level impact of all these scenarios. We’re going to take it as read that the technical investigation is occurring and what that entails, we won’t dive too much into who did this or how did they do it and those kind of things, focus this at the high level issues. And these are cases that we deal with all the time, it’s not unusual for us to get a notification from a client saying hey, this has happened, here’s a link to as I said, a social media post or some reporting that says here’s the data and now what do I do about it. So why don’t we start from there really. Perhaps if I come to Nigel first as you’re, you’re largest on my screen at the moment. In the first 24 hours, what are your immediate concerns with this kind of issue?
Joe Hancock, Partner
MDR Cyber
Not to panic and to kind of fight your instincts and remember you’ve got to do a couple of things. For me, it’s about doing, it’s about doing two things at once, whilst fighting all of your instincts and your urges to rush at making a decision so, you have to, to your point Joe, first of all, you have to work out whether this is real and it’s actually happening, the technical side of things, and then you’ve got to manage the stakeholder comms and that’s the bit that takes real challenge, they’re the ones that often have got the business lens and are poking you for updates and want action now and you’re the one that’s trying to get to the root cause and understand what’s happened and not set the hounds running.
Joe Hancock, Partner
MDR Cyber
How about you Emma, any thoughts on the first 24 hours and your kind of immediate concerns?
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
Yeah, I think just to echo what Nigel says. I think it’s really important to try and avoid being rushed into making avoidable mistakes. You’ve always got more time in these situations than you think you have and it’s so I think important immediately to get the team together to make sure that everyone is clear what their responsibility is, when they’re reporting back, what they need in order to do their bit and I think that, you know, it’s quite tempting to, people to run around like headless chickens but actually, and ask for constant streams of information and investigators can’t investigate if they’re spending their whole life telling lawyers what’s going on and where they’re up to. I think that we, we’re often called in in these situations and we’ve seen leaderships, leadership teams respond really well and we’ve seen leadership teams react badly and I think one of the things that I’ve seen that worked very well is… teams that have practiced making tricky decisions, teams that have got a procedure or a protocol for how they’re going to weigh up; different information and I’ve seen certain, quite a few examples of where if the most powerful person speaks first, everyone tends to agree and I think that in these sorts of situations where there’s lots of different information coming in and there may be legal advice and there may be, you know, advice around how long it will take to get to substantive answers and you’ve got pressure from comms to respond and engage, I think it’s important to kind of have a process by which you’re going to try to make decisions, so it might be that you all, you set out the information and then everyone gets to express a view before a decision is reached but I think it’s just kind of clear to try, I think it’s helpful to try and take a step back and regain and maintain a sense of perspective.
Joe Hancock, Partner
MDR Cyber
I think that’s all very good advice. I mean, one of the, talking about the pressure, one of the elements of pressure we often see in the incidents that we deal with is that some of that pressure is created by an external party, you know, whether that’s a ransomware group sticking a big countdown on their website saying, you know, we’re going to release the information in X hours and minutes, it’s, you know, if they are looking for a payment or some kind of action, sending kind of constant emails in themselves and creating that external kind of pressure, which is, you know as you said, alongside all the internal pressure that kind of comes to bear and it’s a, it can be hard to imagine what it’s actually like being stuck in the middle of that kind of slight pressure cooker. Lucky for, you know, those who have not been through one, how does it kind of feel to deal with this? Maybe we could go Emma then Nigel. Tell us what it's like. What are the emotions?
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
Oh, absolutely horrible. It’s very pressured and I think people can, I think human is to try and understand what happened and to try and constantly try and correct things in real time. I think there’s always enough time to kind of focus on the what ifs and at this, and I think actually just trying to focus on getting the job done and being kind to people because these situations tend to feel like they’re a marathon, they’re a sprint but actually they turn into a marathon and they can take a while to get to a resolution and I think, it’s just, it’s a horrible situation and just focussing on the immediate, urgent things first and trying to keep, be organised and practical and pragmatic and kind and this is kind of the only way to get through them.
Joe Hancock, Partner
MDR Cyber
Nigel, any thoughts?
Nigel Pask
Chief Information Security Officer, SCC
Yeah, having been on the unfortunate end of having to deal with one of these in real time, it’s, it is fraught and that’s, that’s kind of why I made the point earlier about fighting your instincts because there’s that constant feeling and your point, Joe, is great around that creation of urgency, call to action, constant, you know, you’re on a count and you might be worried about reporting to the ICO or there’s that constant external pressure and countdown. That mixed with your own stakeholders, who are constantly asking you for look, why has this happened, you know, it happened 6 hours ago, surely we know by now what’s happened and as we all know, it’s never that easy to work out if it’s real, how it happened etc, etc. You’ve got to remember to pace yourself, you’ve got to remember to look after the team and you’ve got to remember to control the comms.
Joe Hancock, Partner
MDR Cyber
And I think that kind of leads us nicely into that kind of the next kind of three days. One of the issues I deal with time and time and time again is the we have 72 hours to notify the Information Commissioner, we need to tell somebody about that and our stellar data team made an FOI request of the ICO recently to get some data around how many times that kind of 72 hour reporting deadline has been enforced and how many times people either report within it or out of it and they found that kind of roughly 50% of people report outside 72 hours and the ICO has never really taken that as something to pull somebody up on and I think that is an example there of pressure that was, it’s kind of self-created, whether by ourselves, as individuals, we see the 72 hours, it’s this big countdown clock in the background and also, I think the cyber security industry probably is to blame a little bit for that as well, 72 hours became a way to sell instant response service and it’s created all this kind of pressure. But in that kind of next three days, what tends to happen next? What comes after the first 24 hours or…
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
Can I just jump in on the 72 hours.
Joe Hancock, Partner
MDR Cyber
Of course.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
Thank you. Of course, you don’t want to be complacent, there are huge fines for not reporting on time but the 72 hours runs from when you think there’s a duty to report and you are entitled to investigate whether there’s actually been access or disclosure which is likely to result in serious harm to data subjects, So, it doesn’t start running from the time you first find out this thing’s online, it starts running when you realise that there’s an issue and so there isn’t, I think it’s one of those things that drives the pressure and it doesn’t seem that the ICO are that bothered if you’re a day late or two days late, I think it’s much more important to try and control the flow of information, you know, not create expectations of constant updates and limitless information but I also think it’s really important and Nigel was talking about stakeholders putting pressure and asking for updates to be the person that engages so, to give, to engage with the media or employees or any stakeholder proactively but not prematurely. So, you’re making sure that the people that matter to you hear from you but that you’re not over-informing, that you’re not raising their expectations they’re going to get a running commentary, that you’re giving people comfort and assurance that they’re on your mind but that you’re dealing with something and you’ll report back when you’ve got something substantive to say and I think being proactive about the flow of information and being boundaried about what you can and can’t tell them, is actually really important and I think that the preparation always helps with that but there has to be quite a certain amount of confidence in delivering messaging to the different audiences, which kind of comes with practice and sophistication but it’s something that some businesses find very difficult, they want to respond to enquiries, they want to tell investors or they want to tell anyone who asks about it and I think sometimes the thinking things through in advance, one of the things that’s most helpful is kind of thinking through what, who can we, who can we respond to in certain ways and what will, what are we comfortable providing and then biting our lip.
Joe Hancock, Partner
MDR Cyber
I think you raised an interesting point there which is the you know, I must in every incident, I think I have, two things have happened, one is you end up having the do you want me to do some work or to update you conversation and then secondly, there’s normally a fraught conversation either among the response team or those involved because, you know, emotions run high.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
I think I’ve had the conversation, can everyone leave Joe alone please.
Joe Hancock, Partner
MDR Cyber
Yes. We’ve definitely had that one.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
It’s really important that we have some answers because we can’t communicate back working on it. So I think I’ve, I think I’ve protected you in the past.
Joe Hancock, Partner
MDR Cyber
You have and I am ever grateful. And on that kind of point around the emotions are running high, Nigel, how does the kind of stress and strain of this, of what is a pressured situation affect responders or those that are involved?
Nigel Pask
Chief Information Security Officer, SCC
That kind of depends very much to Emma’s point on how prepared they are. So, if this is something you haven’t planned for, you don’t have run books for, you haven’t got a clue what kind of attack it is or what the authorisation chain is or which of the people in the information flow need to be activated or who is going to control PR, it can be a nightmare. So, actually, if you’ve got some tried and tested run books, you’ve been through, I think Emma mentioned it earlier on, you’ve been through pressured decision-making, so those people who are going to be asked to make decisions under pressure so they don’t do it in a snap, you know, based on an emotional gut call. If you’ve got the prep in place, it does remove a large amount of emotional panic which drives the wrong behaviours in that situation so, I’d say, just, just be really, really prepared, don’t be afraid to practice, don’t be afraid to practice real, scary world scenarios.
Joe Hancock, Partner
MDR Cyber
No, I think that’s great and if you look at another point of life, you’d never ask anyone to run a marathon without doing any training beforehand but sometimes we think that people can deal with a crisis for the first time because they just should be able to. And moving to slightly the longer term, why don’t we tackle the kind of obvious elephant in the room here, which is often the reason your data has been leaked online is because someone is going to extort you and they expect you to pay something and so, should we pay, should we not pay? Any kind of thoughts? I don’t know who wants to take that one first? The loaded question.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
I always say that’s a business decision. I hate the idea of negotiating with terrorists or creating a currency in extortion, I always say that’s a business decision but I always make sure that decisions are based on knowledge and so, I push back to the technical team, who are these people? Can they be trusted? Are they bad crooks or good crooks? Like what, so, it’s a business decision. I think Nigel probably comes up against this slightly more often than I do.
Nigel Pask
Chief Information Security Officer, SCC
Well, I think you’ve got to, you’ve got to be pragmatic because there’s a real danger, so there’s always a, there’s always an overt channel that that these threat actors act through but there’s always a covert channel as well and so there’s always a danger if you don’t enter into dialogue with them on both channels, it can be seen as resistance so, you’re absolutely right, Emma, in terms of, you know, we shouldn’t be paying ransoms, it endorses terrorism etc, etc but there is the part of the process of walking through that with them to understand what it might mean. I don’t have anything to do with the undercurrent process which happened in the background, I think it’s good that I’m kind of kept clear of that but I do know that it goes on and I think it’s best to keep all channels with threat actors open until you’ve kind of been able to resolve what you’re going to do but ultimately, your call on it being a business decision, absolutely every single time.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
It’s also a business decision that needs to be handled with the right advice and make sure, and you know the right sort of procedures in place that the advice is privileged.
Joe Hancock, Partner
MDR Cyber
And we’ve had a question around privilege which I might come onto in a minute. But Nigel, just one, just for you Emma…
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
Excellent.
Joe Hancock, Partner
MDR Cyber
Nigel, you mentioned kind of undercurrents there and there being kind of two levels of comms and this is something we’ve talked about before. Can you perhaps give me a bit more detail on that, how you see that kind of playing out, you know, even internally with an incident.
Nigel Pask
Chief Information Security Officer, SCC
Well, it’s always really interesting because you know, the, the, the reason a threat actor has taken action against you is ultimately for, in most cases, for financial gain, right. So, it’s not like there’s going to be some TV-esque brown paper bag filled with cash dropped at the corner of such and such a street, right, it’s all cryptocurrency, all that kind of stuff goes on in the background. So, there’s quite a lot of threat intelligence that goes on in the deep web and the dark web that kind of, you know, principally I don’t want to get involved within my role out in the surface when I’m trying to deal with the forensics of an incident. So, actually knowing the, I’ve got people I can call on who can handle that, you know, that back channel conversation that needs to happen for fear of the threat actors feeling like they’ve been ignored and not engaged with. It’s quite an interesting duality of my role in that I kind of, I’m aware the process goes on but I kind of don’t, almost deliberately don’t need visibility of it in order to protect the sanctity of any decisions I have to make.
Joe Hancock, Partner
MDR Cyber
Nigel, that’s a really interesting perspective because often that kind of, the undercurrent and the kind of, you know, the official communication versus the unofficial is never really explores so, thank you for that Nigel. Just moving kind of onto, to wrap up a little bit, I want to try and take a question if we’ve got time. So, if I could ask both of you just for two practical pieces of advice based on your kind of experiences, what would those be? Emma, shall we start with you and then come to Nigel.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
I think communication is key in these sorts of situations. Communication internally as to the progress and investigation, the information that’s coming to light and how that affects the risk profile of any litigation or the response to the crisis but also the communication externally and I think fatigue can set in over time and people can get confused and/or they can feel the need to respond to different audiences in different ways and I think really importantly with communication internally and externally, is to make sure that there’s consistency and control. And I’m a big fan of a tracker, I love a kind of central document that has a log of what information, what requests have come in, what information has gone out because you can build on messaging, make sure that it’s consistent, you’re not creating any hostages to fortune. It also prevents there being, you know, errors when there’s handovers or miscommunications so I think a practical thing is, one of the first things you do is dedicate someone in the team who may be on a shift pattern or whatever as the kind of repository of information, they need to be part of the investigation team because they need to be part of the kind of privilege community but they also need to be in charge of, it doesn’t have to be the same person but you have to, but you have to appoint someone else to be in charge of the kind of comms tracker so that the, if you’ve agreed messaging that will be the kind of this is what we understand or whatever, that it’s deployed in a consistent way and that you keep track of that. My other practical thing is snacks, people get tired, grumpy, hangry, I think we often think if I just get over this hurdle, it will be solved or in a better position and you, you know, you have to kind of stop and sharpen the pencil before you carry on, I think snacks are really important, look after the team, it’s a kind of wellbeing thing. People start, we’ve had simulations and where the quality of the decision-making and temperament goes off a cliff when everyone gets hungry so, take breaks, go for a walk, get oxygen, have snacks. I’m not sure that’s what you were looking for.
Joe Hancock, Partner
MDR Cyber
No. I think it is exactly what I’m looking for. I’ve seen too many, too many incident response plans place far too much reliance on a team that has infinite energy is completely infallible, you know it’s all completely fine and you know, if you had a bunch of robots delivering the plan then yes, everything would be fine but humans are fragile and so they get hungry and they get tired and I think it’s something that yeah, we absolutely need to recognise. Nigel, what would your advice be?
Nigel Pask
Chief Information Security Officer, SCC
It takes time to, it’s kind of the same and it’s kind of related so, recognise your inner battle, this is not a sprint, this is not going to get solved in the first 4 hours, 8 hours, 24 hours, this is going to go, right, it can roll and roll and roll and you need to be ready for that so, take into account everything we’ve all said, you need to have your best players on the pitch, fit and healthy, ready to play the best game at the time and then you need to have the, they don’t call them substitutes anymore do they, they call them, they call them finishers don’t they in rugby, you have to have the finishers ready to come on who equally as good, so that whole rest, recouperation, you know the protection of the team is critical because they’re the ones that are doing quite stressful, high pressure work and it does absolutely drain people much quicker than a BAU task that they’d be doing on any normal day.
Joe Hancock, Partner
MDR Cyber
Yeah, no, I totally agree, I always joke, you know, the first thing you should do is send half the team home as they are, they are tomorrow’s team, you know, all that advice I think is really good and in every serious incident I’ve dealt with, you know, we’ve seen exactly those kind of problems where, you know, decision, quality of decision-making over timer against hunger, definitely kind of goes down and you don’t want people making kind of kneejerk, hungry, angry decisions in these kind of scenarios. I’m just going to pick a single question, we’ve had a bunch of questions through, some of them are quite specific and so, I plan to follow up with those in writing afterwards and we’ve got one here, it is from an anonymous attendee so I can’t name you and this is to Emma’s point, “What’s a good crook compared to a bad crook and how would you find out?”. This would be a good question for us to finish on.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
Oh. I would ask you. I have no idea. Again, that’s a business decision. I was going to ask the question on privilege.
Joe Hancock, Partner
MDR Cyber
Okay. Let me come onto that one then. And this, “Can you explain any privilege considerations organisation 23.10 should have in mind from the outset?” And again from an anonymous attendee so unfortunately, I can’t name you.
Emma Woolcott, Partner
Head of Reputation Protection and Crisis Management
I think it’s very, it’s very important from a business’s perspective to be able to control the flow of information so, setting up early an investigation team that contains a lawyer, internal or external, this is the investigation team, this the kind of circle of trust, this is the information that… and privilege attracts to and protects legal advice either in contemplation of litigation, so it may be litigation against the attacker or just generally so, having a lawyer engaged to advise the investigation team on its process and the outflow is really important because it means that you then are deciding what you can communicate afterwards and if you do end up in litigation, it’s not all disclosable, you need to be able to make sound decisions but also be able to do that in the safety of knowing that it’s protected by privilege.
Joe Hancock, Partner
MDR Cyber
Great. Nigel, any thoughts around that protecting the confidentiality and protection of those kind of things, quickly?
Nigel Pask
Chief Information Security Officer, SCC
I couldn’t sum it up any more succinctly than Emma has done. It’s absolutely key to protecting some of those quite detailed and specific internal narratives, discussions, agreement processes that go on in full cognisance to Emma’s point that litigation could ensue so, you don’t want all of your, you know, you don’t want all of that being aired so, fortunately, we have, we have such a thing that we can call on, thank heavens.
Joe Hancock, Partner
MDR Cyber
Thanks, Nigel. Well that is, as this is a Flash Webinar, we only have 25 minutes so, unfortunately, coming to a close. These kind of incidents in our experience are always rapid moving, there’s always ambiguity, they’re always high pressure and again, you want to have planned for them and practical experience really helps and again, I think one of the, my only takeaway would be and Nigel made the point really early on, work out whether it’s a hoax or not, we’ve seen too many times THE big incident get declared over which is the fact that someone’s just gone and said something on social media, compared to actually having data and having leaked it but also, I’ve seen the opposite, where people under react but ultimately, you need the right people in the room to help and you know, this to me is again you’re creating that kind of safe environment for them as well, is really, really key.
Thank you very much Nigel and Emma for being with us today, really great to hear your perspectives and lovely to chat to you as always. Thank you everyone for coming along and listening. For the other questions that were asked, we will follow up with those and answer them in email where we can. Where they were asked anonymously, we might just do a little Q&A and pop and that out to everyone as I think the questions were all relevant to everyone and there will be a recording sent out to anyone who signed up and everyone’s contact details. If you want to get in touch, all of us very happy to chat about these things. Thank you very much, I hope you have a great rest of the day.