Tim Norman
Tim Norman is the Channel Lead for Seal in EMEA, based in London. He is responsible for engaging with global SI’s and consultancies to ensure that Seal customers have access to a wide range of solutions and delivery options, and has helped drive channel solutions around IFRS 16, Brexit and GDPR. In addition, Tim is responsible for our developing engagement in the legal sector in the UK, helping law firms position Seal for both internal and external/client facing operations. Over the past twenty years, Tim has held various sales and sales leadership positions, and has helped develop and execute the channel strategy for a number of software companies including Acquia, Documentum, and SDL Tridion across EMEA.

Data Breach – it’s going to happen, and it’s how you react that says most about you

Tim Norman | Mar 24, 2016
To Benjamin Franklin’s list of the certainties of life can be added the fact that an organisation will face a data/system security breach at some point. There is a steady drum beat of stories in the press and in the news about companies being hacked and either losing, or perhaps not, the personal data of their customers and other corporate secrets.  You can be sure that for every instance we hear about, many more are either hushed up or perhaps never uncovered.
CIOs are clearly worried about data breach. According to an article on the InfoSecurity website a new study of CIOs has exposed an alarming lack of confidence in systems designed to protect sensitive data when shared with third parties.  In fact, of the CIOs surveyed, 87% admitted to being worried that their current information security policies and procedures are not only putting their company at risk, but also leave them exposed under new data breach regulations.  
From the same survey, over three-quarters of CIOs (77%) said they are getting frustrated that despite technology – such as encryption – being available to enable secure ways of working, employees just aren’t using them. In fact, 87% of the respondents actually felt this technology, because of low adoption, made their companies more vulnerable.
So, if these guys are worried – this is for real.
It’s also worth a little note about the impact of data breach to an organization’s reputation.  If they are perceived to be playing fast and loose with its customer’s data, the market will react very badly.  We know that trusted brands are able to command a higher price for their goods and services and increasingly trust is not about the performance of the good or service purchased, but how that brand treats any and all data shared as a prime asset.
I’ll let others focus on the technical aspect of protecting data - what this is about is how an organisation can ensure that when a breach happens, and it will, they are able not only to ensure that they did their best to protect the data, but that they are able to react in the most appropriate, effective, and now a regulatory compliant way.
Significant regulation for data breach
The EU General Data Protection Regulation (GDPR) which is expected to come into effect in mid-2018, is a significant piece of legislation, and contains a mandatory notification processes of 72 hours for data breach incidents. Organisations need to not only be secure, but now must be able to react appropriately and expediently in the event of a breach.  The penalties are significant for non-compliance, with a fine up to €20m or 4% of annual global turnover, whichever is higher.  
What to say, to whom and when
Given the new regulation, it is imperative that an organisation has a clear understanding of where it stands contractually with regards to data breach notification – and it can be a complex matrix. Many commercial relationships have data breach content in them now, but it may be quite different, stated in unique language, and really hard to find.  This data includes:
  • What can it expect from its suppliers?
  • What protection must it afford its partners?
  • When and what must it tell its customers and what should it say?
  • How and when, and in what circumstances must regulators be informed?
  • And how does all this vary when a company works across multiple geographies, with multiple products and collects data at every touch point?
So, with the new regulation, organizations must know what data breach language is in place across business relationships, and find it quick, because with the GDPR mandate, they now have just 72 hours to react and they may have 1,000s of relationships that would need attention.  
The information needed for compliance is available, but it’s hidden in contracts. And it’s not just supply side, but sell side, not for sale, and partnership contracts. Spread across your organisation are the documents that prove you are protected (or not), and provide the information you need – within 72 hours - to give you the awareness of what you need to respond to and how. This information is what will let your CEO stand up at the press conference and speak with confidence. 
The question of course, is how to find it.
Contract Discovery and Analytics
By fortunate happenstance, a new strand of technology has emerged that will locate all of your contracts, extract the appropriate meta data and clause language and provide you with a platform for review and analytics.  Once the heavy lifting is done, you can triage – drilling down to those contracts and relationships where you have most exposure – and from there, an organisation can decide on the appropriate remediation or repapering.  
This capability means that organizations with this technology will always know what to do, and how to do it in the event of data breach.  Without it, larger organizations can expect a massive 72-hour fire storm, and likely not meet the GDPR deadline.
As an aside, knowing that you have a clause in your contract that covers security breach is not enough. The technology and regulation is changing so fast that what was “good language” in a contract five or even three years ago would be considered woefully inadequate protection now.  It’s not good enough to know that you have a security breach, you have to know whether the clause offers you the appropriate protection.
Spend time where you can’t automate
As I said earlier, I’ll leave the technical aspects of protection to those who know better. However, if we divide the problem into contractual understanding and technical protection, then clearly anything that can reduce the burden and speed time to understanding, that frees up time for other issues that cannot as easily be automated, and above all, reduces the risk to the organisation, must be a high priority.
PS: I managed to write this whole blog without using the word Cyber – but have to put it here for SEO – Cybersecurity, Cyberbreach, Cybernauts