Anatomy of a data breach
What really happens in a global cyber crisis?
Usually, the best response in a global crisis is to work with a single firm that can coordinate your strategic responses, manage the flow of information and mitigate cross-jurisdictional risk. You will need advisers with a combination of data privacy, data security, investigations and litigation expertise in all the relevant jurisdictions, and who have deep relationships with specialists at local firms outside their own network. You will also need lawyers who know how to work effectively with cyber forensic experts and other industry professionals.
There have been only a handful of global data crises since the advent of GDPR, but we have advised on some of the biggest and most complex (including for Marriott, whose Starwood database security incident involved significant international regulatory engagement). Our on-the-ground experience is second to none.
This track record gives us unique insight into how data protection authorities and other regulators think - what they look for in their investigations, how they set fines and what remediation measures they expect. We know how to respond in a way that manages our clients’ exposure, positions them to defend follow-on litigation and ensures that they can quickly rebuild consumer and stakeholder trust.
Our team tracks data privacy developments globally, including the strength of different authorities’ statutory powers, their likelihood of taking action and the associated class action risk. This means that when you suffer a global data breach, we can immediately pinpoint where you need to focus your energy, enabling you to reach a resolution in the most time- and cost-efficient way.
Prepare your business with our checklist to assess your organisations risk of a cyber and data breach.
Advising an international travel operator following the loss of customer and business data
International investment fund on a cyber-attack, including working with criminal, data protection and industry regulators in the UK and germany
Advising Marriott, the US hotel chain, on the global coordination of its response to its Starwood database security incident.
We helped a global manufacturer respond after information was published online that would have enabled hackers to take control of its products remotely. Our advice covered the company’s disclosure obligations under the EU’s General Data Protection Regulation, product recalls and the documentation and implementation of technical solutions. We also managed the company’s relationships with its suppliers, helping ensure any new parts and software fixes were themselves GDPR compliant.
We advised a major financial institution on the design and implementation of a global data breach response strategy. The system helps the business respond appropriately to all types of data breach across more than 100 subsidiaries in 60 jurisdictions. It ensures the right stakeholders are notified and that the company takes a proportionate approach to disclosure that prioritises the key regulatory authorities around the world.
We helped a global consumer company manage a series of data breaches including a largescale phishing attack. We helped to quickly isolate the affected email accounts and understand what data had been lost. We managed the company’s regulatory notifications around the world, handled customer complaints and helped mitigate the risk of fines and litigation. We also designed and implemented additional security measures to help closed the gaps in its coverage.
We advised the developer of a health-monitoring app after it discovered a technical flaw that put the sensitive data of its users – including children – at risk. The issue required notifications to regulators in more than 50 jurisdictions as well as the affected individuals. The thoroughness of our investigation – and the strength of the technical and operational fixes put in place – reassured all stakeholders to the point where no investigations or litigation materialised. The documentation we developed to prepare the business for GDPR proved pivotal in minimising its liabilities.
When a manufacturing company was paralysed by a cyber attack, we helped bring it back online. Our teams managed engagement with law enforcement and privacy regulators across the world and launched an investigation to discover the source of the problem. We handled lawsuits filed by suppliers and customers, designed a new security framework and mapped potential vulnerabilities across the company’s supply chain. As well as our legal work, the collaboration platform we implemented while the company’s systems were down has proved avital communications channel that helped reconnect the business.