Mon, Apr 11, 2016

Cyber breach in Asia? Don’t respond like you’re in the United States

SQL injection attacks, hijacked e-commerce applications, social engineering attempts, or man-in-the-middle attacks: the tactics employed by malicious hackers are similar the world over and certainly do not change because of where victim companies may be located. However, for many U.S.-based multinationals the instinct to run all breach investigations from headquarters in the same uniform manner, regardless of where the attack takes place, can be a big mistake. This is especially true for Asia.

Asia has a unique regulatory environment that is different to that in the United States, quite unlike what companies have come to prepare for in the United States. For example, companies dealing with a breach in the United States will need to notify all affected parties in strictly prescribed ways. They will usually conduct investigations under attorney-client privilege because they anticipate getting interest from regulators and getting sued civilly. Additionally, notification requirements all but guarantee that the media will hear about the breach, leading to significant public relations headaches as well as potential damage to the brand.

In contrast, the cyber breach environment in Asia varies from jurisdiction to jurisdiction, typically lacks any public notification requirements, and the applicable regulatory framework varies depending on where the breach took place and the nature of data affected. Where there is a regulatory environment in place, typically the relationship with regulators is less adversarial; as the regulator encourages early reporting. Substantive reports to regulators are beneficial in that the company is seen as more competent and acting with good will to prevent future recurrences. Finally, the comparative lack of class action litigation in Asia means that civil litigation is rarely pursued by individual litigants, as the losses are too small and the cost of litigation, in relative terms, too high.

The lack of public notice in many jurisdictions in Asia means that many breaches go unnoticed by the media. The infrequency of media attention, however, is a double-edged sword. On the one hand, if a company investigates quickly and effectively, the breach may stay under the media’s radar. On the other hand, if the breach is picked up by the media, the damage is more intense because news of breaches in Asia is rare. In the United States, such news has become quite frequent and a breached company joins a large club of breached peers.

How to Customize Data Breach Response for Asian Operations
Do not deal with the data breach in Asia as you would with one in the United States. You will waste time and resources preparing for issues that don’t exist in Asia. Instead the following steps are a better way to approach data breaches in this part of the world.

  • Thoroughly investigate to satisfy the regulators’ concerns by focusing on each country’s regulatory guidance. Integrate the investigation with a crisis response plan. You need to have a tailored approach for every jurisdiction in which you operate.
  • If required, notify the regulators as soon as possible, and provide regular substantive updates.
  • When conducting the investigation, be prepared to share information with the media. If news of the breach does leak, the company is then prepared to deal with the media.

Have a crisis communications specialist firm on retainer, so you can activate their services as soon as the issue occurs. Also ensure you have a crisis hotline with your professional advisers.

While data breaches can quickly launch companies into crisis mode, don’t forget that regulatory environments differ from country to country in Asia, so prepare accordingly for maximum success. The best way to ensure a successful result from a breach is to use investigative and legal resources that have global technical skills, but local knowledge and insight.

By Jonathan Fairtlough, Managing Director at Kroll, and Paul Haswell, Partner at Pinsent Masons

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.