By now, everybody would have heard of CrowdStrike and its software product, Falcon. Global technology outages that happened last Friday (19 July 2024) and were widely reported over the weekend dominated news reporting and technology publications. Essentially, CrowdStrike, a US-based cybersecurity firm, rolled out an update to its software, Falcon, a cyber security threat detection and automated protection tool, which resulted in Microsoft products installed with the updated version of the Falcon to glitch and display the infamous “blue screen of death”. CrowdStrike has since clarified that the issue is not caused by cyber-attack, but purely due to the malfunctioning of the software triggered by the software update on Windows computers.
The CrowdStrike incident came at a time when companies in Malaysia are still trying to figure out what are the extent of their exposures and obligations under the recently gazetted Cyber Security Act 2024, as well as the recently announced proposed amendments to the Personal Data Protection Act 2010 (“PDP Amendments”). While the CrowdStrike incident was not caused by a cyber-attack, cybercriminals are reportedly trying to take advantage of this incident, potentially posing as personnel from CrowdStrike to gain access to the servers of organisations affected by the outage. If not cautious, companies already reeling from the operational disruption caused by the CrowdStrike outage may even suffer data theft or cyber security incident.
In the face of such cyber security risks, we thought it apt to dedicate an article to share some pointers to general counsels and also data protection officers to assist in navigating the (almost inevitable) eventualities of a cyber security incident or personal data breach.
- 1. Situation Assessment
- Malicious actors causing cyber security incidents or personal data breaches in a company’s IT environment may not necessarily come with guns blazing or flashy signboard announcing their achievements. More often than not, threat actors would not even announce to their victims that they have successfully penetrated the victims’ environment, unless for extortion purposes.
- During the process of penetrating a company’s IT environment however, threat actors may leave behind crumbs, or trails if you may, of their entry points, potentially a record of multiple failed log-in attempts on multiple employee accounts at odd hours of the day or unusual log-in behaviours of employees who are supposed to be on their vacations. A company having suspected breach of its IT environment should quickly conduct assessment of its system to ascertain whether actual breach has occurred. Companies can deploy sweeper or endpoint detection and response (EDR) tool to scan and detect whether there is any malware. Close coordination between the companies’ IT team and legal team at this stage would be crucial so that legal is aware of the possible threat and could react swiftly to the outcome of the assessment.
- 2. Submitting Breach Notification
- Assuming that the IT team has confirmed the occurrence of a cyber security incident, the legal team of the companies will be faced with the important question of whether it is necessary to notify the authorities of the incident pursuant to the Cyber Security Act 2024 (“CSA 2024”). The answer to this question would depend on a few factors – does the company own or operate any national critical information infrastructure? If so, does the cyber security incident affect the national critical information infrastructure owned or operated by the company? If the answers to these two (2) questions are in the affirmative, the company will have an obligation under the CSA 2024 to notify the relevant stakeholders and/or authorities of the incident, and further investigations by the officers authorised under the CSA 2024 will carried out.
- In addition to the cyber security incident notification, assuming that the proposed amendments to the Personal Data Protection Act are passed and that the assessment of the breach by the company’s IT team indicates that personal data stored by the company has been accessed unlawfully, the company will also have the added responsibility under the PDP Amendments to notify the Personal Data Protection Commissioner of the personal data breaches.
- The purpose of these breach notifications is not just to ensure that the relevant authorities are aware of the breaches, but also for the companies to work with the authorities to agree on appropriate responses to be taken to contain the effect of the breaches and to implement measures in preventing similar incident in the future. As such, it is crucial for the company’s legal counsels and/or personal data protection officers to make sure that sufficient information is given to the authorities for joint formulation of informed decisions.
- Engaging external legal counsel is crucial for companies when navigating the complex requirements of breach notification under both cybersecurity and data protection laws. These requirements are mandatory and come with severe consequences for non-compliance, including potential fines, reputational damage, and legal liabilities. External legal counsels can provide valuable guidance and assistance in accurately assessing the situation, ensuring that all necessary information is submitted to the relevant authorities, and advising on appropriate measures to mitigate risks. Therefore, by collaborating with experienced law firms, companies can ensure compliance with legal obligations and better protect their interests during such incidents.
- 3. Handling the Cyber Security Incidents
- Dealing with a cyber security incident goes beyond just notifying the relevant authorities of the occurrence of the incident. Arguably the hardest part of dealing with cyber security incident is to effectively contain the breach and to recover the operation that is affected by the cyber security incident.
- As most would know by now, the CSA 2024 empowers the Chief Executive of the National Cyber Security Agency (NACSA) to issue directive to the National Critical Information Infrastructure Entities on the measures necessary to respond to or recover from the cyber security incident and to prevent such cyber security incident from occurring in the future. It would be crucial for legal counsels to coordinate closely with the Chief Executive of NACSA concerning the issuance of any directives, as well as the actions to be taken by the company to recover from and to prevent future cyber security incidents.
- From the perspective of personal data protection, similarly assuming that the PDP Amendments are passed and where a cyber security incident results in the unlawful access of personal data stored by the affected companies, these companies will also have the statutory obligation under the PDP Amendments to notify the relevant data subjects of the breach in the event that the personal data breach causes or is likely to cause significant harm to the data subjects. To ensure effective communication of personal data breaches to the relevant data subjects, legal counsels and/or personal data protection officers should work with the IT team to come up with an exhaustive list of data subjects who have had their personal data unlawfully accessed.
- Assuming that the incident is one that is widely reported, public relations (PR) issue would also come into play. Any public announcement to be made by the company affected by cyber security incidents should be carefully crafted to avoid unnecessary widespread commotion, especially when the incidents relate to national critical information infrastructure. An effective announcement should also briefly mention the action plan to be rolled out by the company to resolve the issue, so as to instil confidence in the public as well as affect data subjects. Likewise, legal counsels play the key role of working with internal and/or external PR team to craft meaningful public announcement in ensuring effective communication of crucial information to the public and affected data subjects.
Given the increased digitalisation of companies everywhere in the world, it is no longer an urban legend for companies to suffer cyber security incidents. Hence, it is crucial that legal counsels and data protection officers alike are prepared on how to effectively deal with and manage a cyber security incident, so that any potential negative sentiment towards the company can be averted.
The technology lawyers at the Technology & Corporate Practice Group of Halim Hong & Quek would be able to assist a company to navigate the challenging ordeal of a cyber security incident and personal data breaches. Please feel free to reach out to our team of professionals should you ever need any assistance or if you would like to know more about cyber security and personal data protection.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications, Intellectual
Property, Corporate/M&A, Projects and Infrastructure,
Privacy and Cybersecurity
ky.lo@hhq.com.my.
.
Ong Johnson
Partner
Head of Technology Practice Group
Transactions and Dispute Resolution, Technology,
Media & Telecommunications, Intellectual Property,
Fintech, Privacy and Cybersecurity
johnson.ong@hhq.com.my
More of our Tech articles that you should read: