Navigating cyber incidents: Strategies and best practices for effective data breach investigations

In today’s digital age, cyber incidents represent a formidable risk and challenge for organisations. The occurrence of data breaches has become increasingly common, with potentially severe operational, commercial, and reputational repercussions, as well as costly flow-on legal risks which can last years after an incident. Navigating the complexities of investigations in a cyber context demands a thorough and well-coordinated approach.

This article delves into strategies and best practices for dealing with the unique and multifaceted challenges of conducting data breach investigations.

• Data review approach – compromised data sets are often required to be interrogated and reviewed for the purpose of an eligible data breach assessment under the Privacy Act – which may trigger reporting obligations to affected individuals and the Information Commissioner. Before commencing any review, work with your legal advisers to establish a clear and documented review strategy that is robust and proportionate to the data breach under investigation.
   
• Nature and volume of data – a cyber incident can impact a significant volume of your organisation’s data and may compromise hundreds of thousands or even millions of confidential and sensitive documents. Threat actors often target data that contains personal information (such as passports, drivers’ licences, and other identifying information), and commercially and competitively sensitive and/or valuable information. The composition of the compromised data set is also relevant. Structured data (eg spreadsheets) and unstructured data (eg emails and loose files) require differing approaches to review and interrogation.
   
• Review in practice – undertaking a data review to ascertain the risk of harm to affected individuals can be laborious and time consuming, particularly given the features of the datasets outlined above. Technology can support and expedite the review of compromised datasets to aid in the identification of personal information. The technology is improving and evolving rapidly, but it is not fail- safe or automatic. It is important to have access to the right expertise to ensure these tools are being deployed in an appropriate way that aligns to your review strategy.
   
• Communications with the regulator and impacted individuals – organisations have a legal obligation to provide a statement to the regulator, and affected individuals, as soon as practicable after becoming aware that there are reasonable grounds to believe that an eligible data breach has occurred. Maintaining accurate and regular communication with the regulator is essential, as is considering how and what information is disclosed to impacted individuals. This can be complicated where there are multiple parties involved in a breach. This links back to having a robust review strategy and ensuring you are receiving regular updates about progress and likely numbers of impacted individuals.
  
  It can be useful to settle any template notification letter for impacted consumers prior to starting the data review and front loading the collation of the contact details of the impacted individuals. Be ready to issue notifications in tranches to nimbly pivot the approach depending upon the actions of the threat actor.
   
• Tail risk – throughout the data breach review process, it is important to bear in mind the follow-on legal risk, including regulator action and class action risk, whilst also being cognisant of the broader commercial and reputational impact, and to ensure your review strategy is formulated with these risks in mind.

What can you do to prepare?

Given these challenges with investigations following a data breach, preparedness is crucial. Companies are now attuned to the criticality of cyber resilience. Indeed almost 80% of respondents to our Cyber Risk Survey 2024 believe that the cyber threat to their organisation has increased in the last 12 months. And yet our Survey, which looked at how legal leaders in Australia are grappling with cyber threats, revealed that many still have a way to go in terms of managing cyber risk.

We recommend:

• Understanding your data – minimise the ‘blast zone’ – getting a handle on data practices ahead of an incident is a critical piece of the cyber resilience puzzle. As the Information Commissioner Carly Kind shared with us recently in our Cross Examining Cyber podcast, excessive retention of personal information is an exacerbating factor when it comes to the potential harm flowing from a data extortion attack. This is contrasted with a sobering statistic from our Cyber Risk Survey 2024: 58% of respondents consider that it would take a cyber-attack to meaningfully improve their organisation’s focus on data risk management. Having a clear understanding of your organisation’s data footprint enables a quicker and more efficient response.
   
• Planning ahead – have an incident response plan so that you can respond efficiently and effectively under pressure during incident response and ensuing investigations, including having regard to the possible application of legal professional privilege. This includes having a separate, legal-specific incident response plan, – addressing matters such as insurance, privilege, disclosure and regulatory obligations – which can be a highly effective tool for managing a company’s legal position during incident response. However, our Survey shows that fewer than 40% of respondents have such a plan.

We share some more relevant trends, together with some practical insights gained in our practice, in our Cyber Risk Survey 2024 report.