Cyber Risks and Insurance: the Legal Principles by QC Dean Armstrong; Steward Thomas; Thakerar Shyam

Author:QC, Dean Armstrong; Steward, Thomas; Thakerar, Shyam
Language: eng
Format: epub
Publisher: Bloomsbury Publishing Plc
Published: 2021-07-02T00:00:00+00:00

Stage 2 – the immediate aftermath

6.19 The immediate aftermath of an attack will usually involve some form of further damage limitation, but it is also a crucial period for taking steps to start gathering evidence and information as to the perpetrators behind the attack.

6.20 That will often be time-sensitive: where, for example, an attacker has perpetrated an invoice fraud and persuaded the victim to transfer funds to a fraudulent account (as in the second scenario above), the pattern of such frauds shows that almost invariably the attackers will spend the next few days, if not longer, dissipating the funds into an increasingly large number of further accounts, in order.

6.21 In such cases, it is often crucial to obtain information as rapidly as possible to try to identify where the stolen funds have gone if there is to be any chance of recovery. Even where it is not possible to trap the funds or even prevent the funds from leaving the victim’s bank account by means of injunctive relief, it is still often possible to obtain information as to where the funds have been dissipated, by means of so-called Norwich Pharmacal relief (see paras 9.32–9.39, below), so that steps can then be taken to try and prevent further dissipation.

6.22 With cyber-attacks, it is sometimes (although increasingly rarely) possible to identify the attacker from information such as the IP address or other technological means of detection. If, however, the attacker wants ransom paid to a particular bank account (as in the first scenario above), it may be possible to find out the identity of the attackers themselves, or at the very least, the location of any ransom funds paid, by relying on the court’s Norwich Pharmacal jurisdiction to identify the account and, thereby, the signatories to that account.

6.23 If the attack involves a data breach (as in the third scenario above), once the scale of the attack has been established and immediate steps have been taken to stop it, and even while such steps are still ongoing, the breach should be reported to the relevant Data Protection Officer in the company, and a breach assessment should be carried out assessing the potential harms to the rights and freedoms of the data subjects affected by the breach.

6.24 It is important to keep in mind that the breach should then be reported to the Information Commissioner within 72 hours, even if not all of the details of the attack are known by that time.

6.25 Further information can be found online at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.