Paul Gardner and Jas Purewal of Osborne Clarke discuss lessons to be learned from the hacking of several games companies and how to deal with security breaches.
This is the second of two articles discussing data protection for the games industry. In the first part, we discussed the essentials of data protection and what games businesses need to know about it. In this second part, we look at what recent hacking incidents in the games industry can teach us about dealing with security breaches.
1. Having a plan in place to deal with a security breach is critical.
If you suffer a security breach, whether through employee mishap or a hacked server, you need to have a plan in place so that people know what to do, fast. Before any security breach, you need to have the following in place:
- Data mapping: even before a security breach, make sure you know what comes into your business from where.
- Data audit: know where you are actually storing your data and how to access it quickly.
- An obligation on your business partners to notify you if they detect a security breach.
- A plan for reporting security breaches to management quickly and efficiently (this could mean having both a designated communication channel, like an email address, as well as a senior manager assigned to deal with these issues).
- A mechanism for shutting down a security breach quickly.
- Plans in place for damage assessment and limitation.
2. Get help, early on.
Once you know a security breach has happened, get professional advice early on. In particular, security advisors can advise on technical issues and your lawyers can advise on what the leak could mean for the business. Make sure you know who to turn to as part of your standard data security arrangements.
3. Engage with your customers as soon as possible.
In the Sony case, there was a gap of around a week between Sony becoming aware of the leak and then announcing it publicly. Sony explained that it had been actively investigating the leak during this time, but some customers were sceptical.
Clearly there's a balancing act between focusing on shutting down the leak and keeping customers informed. But nonetheless you need to do what you can to engage with your customers as soon as possible, for two reasons: (1) especially following Sony/PSN, customers will want to know what's going on; and (2) there's a good argument that the Data Protection principles require you to engage with customers as soon as possible.
4. Effective PR is important.
Don't hire PRs when the damage has already been done. When preparing your security breach plans, speak with your PRs in advance so that you have something and someone to work with if a security breach ever occurs.
5. Destruction is the best safeguard: don't keep data unless you really need it.
You can't lose data which you don't have anymore. As a safety precaution (as well as good practice in accordance with the Data Protection Principles), you should therefore undertake regular checks to see what data you no longer need and you can therefore delete from the system. This should help to remove old/unwanted/obsolete data from your servers (which, had Sony done this, could have saved them from having data from a 2001 competition hacked recently).
6. Having good working security is very important.
Data Protection legislation requires data controllers to take "appropriate technical and organisational measures" to secure the personal data they hold. That doesn't require you to turn your servers into Fort Knox. It doesn't even necessarily require you to encrypt all your personal data (though that's good working practice).
It does require carrying out an assessment of what data you hold and what security measures are needed to protect it adequately. This will vary from business to business depending on a whole range of factors, including how much and what kind of data they hold (and how sensitive it is), what measures are available to them and at what cost. There are recognised quality and security standards – considering moving your business on to that standard (and ensuring your business partners do too).
7. Getting back to normal: under-promise, over-deliver.
One of the problems which Sony faced was widespread uncertainty and speculation regarding when the PSN service would be resumed (this is often likely to be a problem where a security breach results in the takedown of a service).
We'd suggest the best practice would be, insofar as possible, to adopt a cautious approach when estimating when the service is likely to become fully functional again – better to under-promise and over-deliver than have to give a series of moving relaunch dates.
8. Hardwire data protection into the business.
A major factor in security breaches is that business systems and processes are not fundamentally designed with data protection in mind – their security measures are bolted on afterwards. So, the next time you start a business or new job or new project, consider how to hardwire data protection into it. It's good practice and it's likely to become the law in the near future.
9. Appoint a senior manager to be responsible for data protection.
Again, a major factor in security breaches is that responsibility for protecting data falls between management cracks. Put a senior manager in charge of data protection and give him/her sufficient resources and training to do the job. It's good practice, good PR and it's likely to become the law in the near future.
Paul Gardner is a partner and Jas Purewal is a solicitor in the interactive entertainment team at Osborne Clarke.