By Stefano Debolini and the Sheridans Sports Team
When many think of cyber security, the sports industry may not be the first that springs to mind. It has, however, had its fair share of problems. Footy leaks flooded the internet with many confidential transfer and employment contracts for fans to read. Similarly, the Fancy Bears Therapeutic Usage Exemptions (TUEs) hack involved personal medical information relating to many high-profile sportsmen and women.
These breaches suffered by major players in the sports sector have underlined the need for rights holders, clubs, agencies and other participants in the ecosystem to make cyber security a priority.
The volume of personal and other data generated, shared and commercialised in the sports industry has experienced staggering growth, and a proper discussion of how to navigate the regulatory landscape while making the most of that data is a topic for another day. Here, we focus more on considerations relevant to data breach incident response and compliance.
Data protection regulation requires holders of sensitive data, which may include personal information about a club’s star players, to implement appropriate technical and organisational security measures to avoid unauthorised disclosure of player data. If you suffer a breach, it may indicate that the steps you have taken to comply with data protection principles fall short. So, as a starting point, it is important to ensure that the security of your data (and that of your business partners and users) is a core consideration across your business. What if you are still the victim of a cyberattack?
Cyber threats can unfold quicker than a Mane/Salah Liverpool counter-attack
It probably goes without saying, but as soon as a data breach is discovered, you need to jump on it. Typically (although not in every case) you will want to halt unauthorised access, take non-essential services offline, update credentials, limit access to those who need it, capture data from connection logs and other sources of audit information, among other matters.
You also need to get the word out. No business will relish letting the world know it hasn’t been as careful about cyber security as it could have been, but PR support can help you communicate this message effectively. Users may need to know quickly, so they can change credentials on other sites or services where they use the same password, and so that they can be more alert to the risk of identity theft.
Delay in spreading awareness can amplify the damage caused by a data breach. Still, each incident should be assessed on a case-by-case basis, taking into account the nature, volume and sensitivity of the data which might have been exposed, and the risks this poses to you and your users. In some circumstances, you may decide that there is no need to let users know you’ve suffered a cyberattack.
Sensitive information about, say, football players, is high-profile news. Its impact can be global, so it’s likely you will need your lawyers to coordinate a response internationally. In some jurisdictions, the risk could be low, relevant thresholds might not be met regarding the number of affected users or the nature of the compromised data may be such that the incident doesn’t merit disclosure or notification to data protection authorities in certain countries.
To react effectively and in a compliant manner, a whole range of factors come into play. Is your business, from a legal perspective, a data controller, or processor (not always as straightforward as you might expect)? Is personal data involved (this might not be obvious, for example if a user ID, IP address, or other identifiers are involved, including data which can be combined with other information to identify someone)? Which jurisdictions are relevant and which law applies?
Unless you have significant in-house capabilities, you will almost certainly need to bring in external help. Rather than scrambling to find support after-the-event, where delays could have a lasting impact, we suggest that, in your own time, you put in place an incident response plan. That means pre-emptively speaking with cyber security consultants, auditors, PR companies, lawyers, your suppliers, your staff and your users about cyber security.
Effective preparation and a cyber security incident response plan will help stakeholders understand their responsibilities in the event of a data breach, slash delays in your reactions, reduce the cost of responding to the breach, reduce the fallout, and reduce the likelihood of a data breach happening in the first place.
The involvement of third party specialists not only helps ensure you have the relevant technical capabilities to hand, but can also engender trust, as audits are more likely to be independent and unbiased.
Following its recent breach, TalkTalk made a public announcement within one day, promptly commissioned a review of its systems by PwC, and was praised by a committee of the Department for Culture, Media and Sport for this strong crisis response, so such actions are likely to be of benefit if any enforcement action is contemplated by, say, the Information Commissioner’s Office.
At present, there are a host of good commercial, reputational and legal reasons to make sure you are ready for a breach when (rather than if) it comes. From 25 May 2018, regulatory changes include General Data Protection Regulation (GDPR) which, among many other changes, will increase maximum fines for breaches of data protection law from £500k to 4% of global annual turnover or €20m, introduce new obligations regarding the reporting of data breaches, and bring data processors into the frame for certain infringements where they would not previously have been liable.
Although it sounds rather dry, a good cyber breach incident response process will:
- help an organisation in identifying, containing and recovering from the breach;
- investigate the extent of any unauthorised access and the risks posed by it, notifying individuals and organisations appropriately; and
- ensure steps are taken to avoid it happening again.
How would a sports agency or football club react if it found out from a newspaper report that its high profile player salaries, personal addresses and phone numbers had been leaked online? ‘Where to start?’ can be the usual response.
We’d suggest speaking to those responsible for IT, communications, security and compliance in your business, and thrashing out some scenarios. Discuss your concerns with specialist advisers, shore up the gaps, develop internal and external incident response groups and put in place an incident response plan. Then, go back to worrying about on-field matters.
The Sheridans Sports Team can help with all of the above. Contact Daniel Geey or Stefano Debolini for more information.