How to handle a data hack
Cyber security and data privacy lawyer Stefano Debolini explains what you need to be aware of if it happens to you and how you can avoid it
When I think games and cyber security, my mind tends to wander back to time spent playing Uplink. Recently, however, a series of breaches suffered by major players in the games industry have underlined the need for publishers, developers and other participants in the ecosystem, to make cyber security a priority.
The volume of personal and other data generated, shared and commercialised in the games industry has experienced staggering growth, and a proper discussion of how to navigate the regulatory landscape while making the most of that data is a topic for another day. Here I'll focus more on considerations relevant to data breach incident response and compliance.
Data protection regulation requires game developers and publishers to implement appropriate technical and organisational security measures to avoid unauthorised disclosure of gamers' data. If you suffer a breach, that may indicate that the steps you have taken to comply with data protection principles fall short. So, as a starting point, it is important to ensure that the security of your data (and that of your business partners, and users) is a core consideration across your business. What if you are still the victim of a cyberattack?
Attacks can unfold as quickly as a Zerg rush
It probably goes without saying, but as soon as a data breach is discovered, you need to jump on it. Typically (although not in every case) you will want to halt unauthorised access, take non-essential services offline, update credentials, limit access to those who need it, capture data from connection logs, and other sources of audit information, among other matters.
"It's important to preserve forensic evidence. Even a very short delay, or careless reaction, can mean the loss of critical information."
At the same time, it's important to preserve forensic evidence. Even a very short delay, or careless reaction, can mean the loss of critical information. For example, if your servers are left running, they might automatically begin to optimise/reorganise the arrangement of data on disk, overwriting information which, although not visible to ordinary users, may have been picked up by specialist tools, shedding light on how the attack took place.
You also need to get the word out. No business will relish letting the world know it hasn't been as careful about cyber security as it could have been, but PR support can help you communicate this message effectively. Users may need to know quickly, so they can change credentials on other sites or services where they use the same password, and so that they can be more alert to the risk of identity theft.
Delay in spreading awareness can amplify the damage caused by a data breach. Still, each incident should be assessed on a case-by-case basis, taking into account the nature, volume and sensitivity of the data which might have been exposed, and the risks this poses to you and your users. Under some circumstances, you may decide that there is no need to let users know you've suffered a cyberattack. For example, you might take the view that a breach of your webserver which only exposed the contents of an unpublished brochure site for an upcoming game doesn't warrant publicity.
Aside from your users, you'll need to speak with your lawyers about any legal obligations you might have to notify the authorities. Your insurers will want to know (and you should tell them, otherwise you may have trouble making a claim), and there may be a need to speak with the police or data protection regulators (for example, the Information Commissioner's Office in the UK).
Games are global. So, it's likely you will need your lawyers to coordinate a response internationally. In some jurisdictions the risk could be low, relevant thresholds might not be met regarding the number of affected users, or the nature of the compromised data may be such that the incident doesn't merit disclosure or notification to data protection authorities in certain countries.
To react effectively, and in a compliant manner, a whole range of factors come into play. Is your business, from a legal perspective, a data controller, or processor (not always as straight forward as you might expect)? Is personal data involved (this might not be obvious, for example if a userID, IP address, or other identifiers are involved, including data which can be combined with other information to identify someone)? Which jurisdictions are relevant and which law applies?
Ready, Player One
Unless you have significant in-house capabilities, you will almost certainly need to bring in external help. Rather than scrambling to find support after-the-event, where delays could have a lasting impact, I suggest that, in your own time, you put in place an incident response plan. That means pre-emptively speaking with cyber security consultants, auditors, PR companies, lawyers, your suppliers, your staff and your users, about cyber security.
Effective preparation, and a cyber security incident response plan will help stakeholders understand their responsibilities in the event of a data breach, slash delays in your reactions, reduce the cost of responding to the breach, reduce the fallout, and reduce the likelihood of a data breach happening in the first place.
The involvement of third party specialists not only helps ensure you have the relevant technical capabilities to hand, but can also engender trust, as audits are more likely to be independent and unbiased.
"Following its recent breach, TalkTalk made a public announcement within one day, promptly commissioned a review by PwC, and was praised by the Department for Culture, Media and Sport for this strong crisis response."
Following its recent breach, TalkTalk made a public announcement within one day, promptly commissioned a review of its systems by PwC, and was praised by a committee of the Department for Culture, Media and Sport for this strong crisis response. So, such actions are likely to be of benefit if any enforcement action is contemplated by, say, the ICO.
At present, there are a host of good commercial, reputational and legal reasons to make sure you are ready for a breach when (rather than if) it comes. From 25 May 2018, regulatory changes include:
- General Data Protection Regulation (GDPR) which, among many other changes, will increase maximum fines for breaches of data protection law from £500k to 4% of global annual turnover or €20m, and bring data processors into the frame for certain breaches where they would not previously have been liable.
- New e-Privacy Regulations which affect the extent to which developers need to consider privacy when designing software, and how you can use messaging data and metadata between gamers (the same 4%/€20m fines apply to certain breaches of the e-Privacy Regulations)
- NIS (Network Information Security or Cyber) Directive - see details here
We hope to look at these in more detail in a future article, so you can get a head-start and avoid a last-minute panic to comply by the deadline.
What next
A good cyber breach incident response process will support identifying, containing and recovering from the breach, investigating the extent of any unauthorised access and the risks posed by it, notifying individuals and organisations appropriately, and taking steps to avoid it happening again.
Give some thought to how you might react if you found out from Reddit that the source code for your latest game (cyber security isn't just about personal data, you need to consider commercially valuable confidential information as well), your email marketing list, your forum database or in-game messaging logs, had been leaked online. What would you do?
Then, speak to those responsible for IT, communications, security and compliance in your business, and thrash out some scenarios. Discuss your concerns with specialist advisors, shore up the gaps, develop internal and external incident response groups, and put in place an incident response plan. Then, go back to sleeping at night.