Podcast: Responding to a Data Breach

Colleagues meet to discuss their data breach plans

In this episode Mark Read, head of data breach solutions at TransUnion UK, walks us through how you can effectively plan for a data breach and what a ‘gold standard’ response activity should look like. As Benjamin Franklin framed it: Failing to prepare, is preparing to fail.

Mark talks to George Chaisty, a partner at the legal firm Kennedys Law LLP. George is part of Kennedys’ cyber and data risk team, and advises clients on a broad range of cyber incidents including ransomware and business email compromises. 

Using our e-book Data Breach for Businesses as a starting point, Mark quizzes George on the current cyber threats facing businesses and what processes and resources need to be considered when building a robust data breach plan. Additionally, George identifies some of the common mistakes businesses make in their response actions. Key talking points in this podcast revolve around reputation management, supporting consumers and the timeframe you have to act within. 

We’ve recorded this podcast to provide a blueprint for professionals who are responsible for their organisation's data breach plan. The episode offers an in-depth explanation of what resources, teams and services go into making a robust data breach response.  For those working in the industry and familiar with the topic, it can either validate your approach or offer nuggets of new and useful information. And for those tasked with developing a plan from scratch, it can hopefully provide a template for you to follow as you begin to document your process. 

Responding to a Data Breach: Managing the Clock and Your Reputation

Mark Read (MR): Hello, and welcome back to TransUnion's Data, Strategies and Trust podcast series. I'm Mark Reed and I lead TransUnion's Identity Protection and Data Breach Solutions here in the UK. These podcasts are delivered to help listeners better understand the evolving data and technology landscape. TransUnion are a global information and insights business who aim to make trust possible between consumers and businesses.

We provide solutions that help create economic opportunity, great experiences, and personal empowerment for hundreds of millions of people in more than 30 countries. Data breaches have become a persistent threat in our increasingly interconnected world. From large corporations to small enterprises, nobody is immune to the potential risks associated with cyber attacks and unauthorized access to sensitive information.

The consequences of a data breach can, of course, be devastating, ranging from financial losses and reputational damage to legal and regulatory repercussions. So in this episode, we're going to address the vital question, what should businesses do when faced with a data breach? We'll examine the importance of preparedness and proactive measures, as well as the crucial steps to take immediately following a data breach.

Joining us today, we have an esteemed guest who brings extensive expertise in data security and incident response.

George Chastie is a partner at Kennedy's in their cyber and data risk team. George, welcome to TransUnion's podcast. Could you tell me a little bit more about your role at Kennedy's?

 

George Chastie (GC): Thank you, Mark.

It's a pleasure to be joining you. As you say, my name is George Chastie, and I'm a partner at the law firm Kennedy's, where we offer a global data breach response service, which in large part means we advise our clients on the legal and regulatory obligations in the immediate aftermath. of a cyber attack.

So whether that's ransomware, business email compromise or any other form of data breach.

 

MR: Thanks, George. In this episode, we're going to shed light on the current data breach landscape, discuss the evolving tactics employed by cyber criminals and the vulnerabilities that businesses must be aware of to protect their data.

George and I are going to explore actionable strategies and best practices for businesses to effectively respond to data breaches. We'll discuss incident response planning, communication strategies, and the critical role of transparency and trust in mitigating the fallout from a data breach. But what I'd like to do first before George and I begin our discussion is to set the scene somewhat and share some findings from our most recent research that TransUnion have undertaken.

And these stats you'll find within our Data Breach Support for Businesses ebook that we've released this month. In the ever evolving digital world, the UK finds itself navigating a complex and dynamic data breach landscape. As organizations increasingly adopt technological advancements and rely on data driven processes, the risks associated with a cyber attack and unauthorized access to sensitive information have become more prominent and sophisticated.

Despite the implementation of stringent data protection regulations, like the GDPR for example, the occurrence of data breaches continues to pose significant threats to individuals privacy. Organisational security and the overall trust in the digital ecosystem. Our research undertaken found that more than one in four UK businesses, around 28%, experienced a data breach in the past 12 months.

And that's despite UK businesses spending on average £600,000 annually to repel those attacks. It's estimated that approximately 5. 25 billion people worldwide have access to and use the internet. That's around 66% of the world's population. And between 2020 and 2023, usage of the internet increased by 1, 355%.

So with more users than ever before, it's not surprising that around half of I. T. professionals, 49% that responded to our survey,  said that there is more pressure than ever on businesses to keep customer data safe. Attacks such as phishing, where messages seemingly from reputable sources are used to steal data or personnel information, were reported to of course 10% of U.K. data breaches up to quarter four (2022). That's according to the Information Commissioner's Office. And in fact, TransUnion's own Consumer Pulse survey from the second quarter of this year, 2023, found that phishing is the most common type of digital fraud. And that was reported by almost half, 46 percent, of targeted UK consumers in our latest survey.

So we know that the threat is significant. What do you think, George, are the biggest legal concerns from businesses following a data breach, be it third party claims, reputational damage, perhaps cyber extortion, or anything else?

 

GC: Yeah, thanks, Mark. Now, at the risk of sounding a little bit gloomy here, there is quite a long list of legal and regulatory considerations, at least potentially arising from a data breach.

And I suppose fundamentally, our job as lawyers or as breach counsel, as we're often referred to, our job is to guide our clients towards making those sensible early decisions that will hopefully keep that list as short as possible. I suppose the two concerns that tend to arise earliest from a legal perspective are the possible regulatory exposure and then secondly, the potential for claims.

So when we're dealing with ransomware, for example, our clients are very naturally and completely understandably focused on getting back online as quickly as possible....that ransomware attack, having typically taken the systems offline. And that's in large part to keep their business and the operational disruption, which you talk about in really good detail in the ebook, to an absolute minimum.

At the same time though, and whilst that is incredibly important, the focus needs to be ideally on mitigating the potential legal and regulatory exposure as early as possible.

So to give a very quick example. If a manufacturing client's head office and factory has been taken offline because of ransomware, of course it's really important to get the production line back up and running as quickly as possible, but it's also really important to ensure that the client understands the impact on head office too. And what I mean by that is if personal data has been accessed or stolen by the cyber criminal, which it very often is in the context of a ransomware attack, typically as a leverage for payment of a ransom. So cyber criminal steals data and says, if you don't pay a ransom, we will leak it on the dark web.

Where we do see impact on personal data, there can be very tight turnaround times for notifications then to regulators, not just in the UK or wherever head office is based, but potentially internationally too, depending on the nature of the business. And so failure to notify in time or indeed at all, if a client or if any of your listeners were opting to sweep a data breach under the carpet - I'm sure none, none of them would - then depending on the regulator in question, that failure to notify in time or at all can result in investigations and fines. So it's really important to mitigate that possible regulatory exposure right from the outset. So that's the first of the two that tend to be the most forefront of our client's mind.

The second is to remember that it's really important to mitigate possible claims right from the outset of the response to. Very often our clients assume that claims mitigation is something that comes at the tail end of the response to the incident. But actually the steps that you take in the immediate aftermath can really help with mitigating that threat of legal action.

So just to round that off and carry on the manufacturing client example. Not only could the client in that scenario face claims around the breach of personal data that they hold, but they could also be potentially facing contractual claims when it comes to late delivery or failure to perform more generally under contractual provisions.

There's plenty of other considerations like the legality of paying a ransom, industry specific regulatory notifications. The list goes on, but hopefully that gives you a flavor.

MR: Thanks, George. I want to drill down a little bit more into your points a little bit earlier on in the U.K., for example, must report a notifiable breach where it meets the threshold to the regulator within 72 hours of becoming aware of the incident on as you mentioned quite correctly. In other jurisdictions, that time frame is even shorter. If we think specifically about a U.K. incident being reported to the ICO, could you give us some insight into what would be expected of that organization by the time the communication is made to the ICO and what goes within that notification itself?

GC: Yes. So, the timing around notification to the ICO is something we still see our clients get very, very anxious about. And I think there is still generally a good level of uncertainty around how the relevant provisions apply. Now, at the risk of your listeners switching off or dozing off at the first mention of the GDPR, it is that regulation that the deadline for notifying comes from, and it's that regulation that sort of dictates or guides the content of the notifications as well.

What is really important to bear in mind is that the first hurdle to overcome In order for a notification to the ICO to be required, and in fact, for the 72 hour timer that you very sensibly mentioned to start running at all, is not awareness of suspicious I. T. activity in itself, particularly in the context of cyber attacks that we might be facing, but it's awareness of a personal data breach, which might then trigger a risk assessment for the victim of that cyber attack to then be in a position to determine whether the notification threshold under the GDPR has been met.

So, the starting point is working out whether a personal data breach has actually occurred. Now, that might be in the form of unauthorized access to personal data. It might be exfiltration, which we touched on a little moment ago. The theft of personal data by the unauthorized third party that's gained access to systems.

Or it might be some other form of unauthorized interaction with personal data, but to get that level of visibility to get that level of detail and to be able to answer the question of whether or not we even have a personal data breach, we're reliant on the client's I. T. team or if the circumstances dictate, we're relying on independent I.T. forensics to investigate the extent of the breach. So really, to answer at least the first part of your question, the ICO will have expected your listeners to have started the forensic investigation right away, not just to make sure that they have accurate information to provide the ICO with, but also fundamentally to determine whether or not a notification is even required in the first place.

So, again, just a reminder, the two hurdles, personal data breach and then a risk assessment. Will that breach give rise to a risk to individuals? We need to be able to answer the first question and determine whether or not there's been a personal data breach. Then in terms of the content of the notification itself or the ICO will encourage you to complete a form which shows on their website and that will effectively guide the company responsible for notifying towards being able to give a good level of detail about when they became aware of the incident.

What they currently know, what they currently understand the impact to be for any individuals for whom personal data is held, and then ultimately what they're going to be doing about it. So, once you start looking at what the ICO expects you to be providing within the notification form itself, it helps give a really good indication as to how important that initial investigation is and getting that underway as quickly as possible to be in a position to answer those questions.

Now, having said all of that, and at the risk of potentially really terrifying your listeners, where there is an international angle, and the red herring here is assuming that I'm a UK based organisation and therefore I only need to be concerned about the ICO, where there's an international angle, and an example of that might be an e-commerce company that sells their product worldwide and therefore holds personal data relating to individuals away from the country that company is established in.

There might be even more onerous deadlines than we have in the UK with the ICO. So, in certain countries, regulatory notifications are required within a very short number of hours, as quickly as six hours in certain countries, of awareness of the incident itself. How you have time to gather an appropriate level of information to notify in some of those countries is probably a discussion for another time.

But in that sense...really the ICO is...it's quite reasonable and expect for those notifying to have formed an early view on the extent of the breach, typically through that immediate forensic investigation that we just talked about.

MR: I think your level of detail in the answer there, George, is fantastic. And despite the fear you may have put into some listeners and the mention of GDPR, I'm sure they are still engaged in the podcast. Some of the other findings we have my research that we undertook that I mentioned earlier on in my introduction, but that 40% of respondents, which was 500 I. T. professionals from U.K. businesses suffered noticeable reputational damage following an incident, many lost customers and, of course, in some cases, the ICO would have find them or take another enforcement action. And the reason I mentioned that is that there is also an obligation in certain circumstances alongside that notifications that you were mentioning to the regulators for the organization to notify those individuals, those data subjects who have been impacted by the breach.

So could you tell us a little bit more, George, around the threshold that needs to be met for that notification, I guess, to be made to the data subjects,. and when that notification needs to take place.

GC: Yes, Mark, you're quite right to call me out on fixating on notifications to data protection regulators up to this point.

And that's in large part because they do tend to be those required really very quickly and where there's prescriptive deadlines. There are also industry specific regulators to think about. So for example, a financial advisor might need to consider notifying the FCA and a charity will need to consider notifying the charity commission. And so understanding the nature of the business is very important. But to answer your question more directly around impacts on data subjects, there is also separate notification requirements to individuals impacted by the data breach. So, harking back to the answer to one of the earlier questions, there is a huge amount to think about from a legal and regulatory perspective right from the outset.

And that obligation continues all the way through the response to an incident. At least in the UK and Europe and many countries that have a similar data protection regime to the GDPR, data protection regulator notifications tend to come first, and then notifications to individuals impacted by the breach will often follow.

It's the reverse in many states in the U.S., but again, probably a discussion for another time.

MR: Thanks bringing it back to the U.K. and Europe, though, there's a regulatory requirement to notify those whose personal data is impacted in circumstances where a high risk is posed to those individuals whose personal data has been breached.

Now, without getting too technical, that requirement applies to those companies considered the data controller with respect to that. personal data, and different obligations will apply then to data processes. So it's important for listeners to get their data protection policies right and properly understood when it comes to considering notification specifically to to individuals.

And then in terms of timing, rather than a 72 hour deadline applying, like it does with the ICO, the requirement is to notify individuals or data subjects without undue delay. And whether that means That occurs in the first few days or sometime later, and it typically happens when the forensic investigation that we talked about needing to start very quickly has concluded.

Whether it happens in those first few days or weeks or in certain circumstances, potentially months later, that will really depend on client's preference and what the forensic investigation unravels, and ultimately, frankly, just how much data has been impacted and how many might need to be notified. In terms of the content of those notification letters, the answer is in large part within the relevant regulation irrespective of the country that we're talking about, but the overview is sufficient information for the recipient of any letter to have a really good understanding of exactly what has happened precisely the impact on the data, the data that has been impacted, the different categories, and then ultimately the steps that the organization is taking to mitigate that high risk that was sufficient such that the notification was required in the first place.

On the topic of the notifications and where TransUnion come in, I think our listeners that follow myself on social media and LinkedIn or elsewhere, have seen our posts may have seen me talking about trust never being more valuable or of course vulnerable than in the wake of an incident. But that's certainly true and when we support organisations following a data breach many of which of course are also being supported with legal advice from yourself and the Kennedy's team our aim is to help minimize reputational damage for our client and to help restore trust with those that they're communicating details of the incident to, so that's why we come into support organisations, perhaps in as little as 24 hours after we're notified of an incident, and that's because we want to help craft that notification that you mentioned to the data subject those living individuals that have been impacted by the breach and offer certain remediation solutions, if you will, which can help immediately remove some of that heat out of the situation.

As you can imagine, and I'm sure all of our listeners at some point have received the data breach notification themselves in the past, there is that initial fear, that dread, perhaps anger towards the organization responsible, and that can very quickly lead to litigation, perhaps, I say very quickly, or indeed in the future, against our client.

And the loss of customers, the loss of their trust, and obviously further business or attracting new business, as I mentioned earlier. So, that's why that it's incredibly key that outside of that small working group that's responsible for managing the fallout of the breach internally, why it's important to build on what you were saying, George, about that communication piece being clear and concise and only doing so in confirmed facts, but also balancing that communication with those impacted and the risk of that information being used against you in future litigation.

Hopefully, George, you agree on those points, but where do you think businesses should be looking to support individuals who they're notifying of a data breach?

GC: I think in large part that I've set the groundwork for talking about the international angle being just as important as the home U.K. strategy and the mitigation measures that are taken are in at least some part driven by what is jurisdictional standard.

So, in the U. S.., you might need credit and identity monitoring services for two years because that's what's expected in that country. And in others, there might not be the same level of expectation that it's quite that long. But when you talk about gold standard where the resources are available, why would you not take that extra step if it felt like it was going to help with that trust point that you mentioned?

And then I think on the broader points that you made, I suppose the only thing that I would add is the best bit of advice that I tend to give clients is from a communications perspective is not to wait for a data breach to decide on a communications and notification strategy. So, listening to this podcast is obviously a great start, but engaging with breach counsel like Kennedy's, talking with TransUnion, having those discussions long before an incident happens means that you can draw from years of experience on the things that tend to go wrong, particularly when it comes to communication, and maybe more importantly, the things that tend to go really well.

So maybe it is. thinking about a two year monitoring offering long before the decision needs to be made, or maybe it's more specifically on the communication strategy itself. So, typically a properly thought out communication strategy ensures that notifications don't come as a surprise to those that will ultimately receive them.

So, can we start thinking about tailoring some of those communications long before an incident? And I think if clients treat having an effective, tailored strategy, as an investment, that tends to be the key because the cost of getting the communications and notifications wrong, whether that's over notification or under notification or not notifying at all, can get incredibly expensive.

And on some occasions it will make sense to go out and tell stakeholders really early, like you mentioned, and in other situations it might make sense not to so quickly if the circumstances dictate. And to be clear, that's not about hiding anything from anyone, but it's more about mitigating the risk of potentially avoidable claims, complaints, all of the things that we talked about as being some of the primary legal concerns at the outset.

MR: So I think probably it's a good time for me to talk about picking up on some of the points you just made there where Transunion help...as I mentioned, support organisations from very early on in the investigation stage, depending on how quickly they want to engage us. And in some cases, before our breaches even happened and we fit within an organization's incident response plans, which I do want to talk about in a short time.

So we often begin by working with partners like yourselves at Kennedy's to craft that notification letter with the aim of taking some of the heat out of the situation which will address that key information on what's happened and includes the offer of remediation solutions like our Trueidentity platform. Trueidentity for those that aren't familiar is TransUnion's credit and identity monitoring service, alerts users to signs of identity theft and fraud. And then in the background, we have a dedicated dispute team that are there to resolve anything that the consumer doesn't recognise. And of course, disputes with us via the Trueidentity service, and that can then all be tracked within the solution. So it's there to protect that consumer against identity theft and critically, obviously, against financial loss.

There are also beaches in the past were in the Information Commissioner's final written judgments. They've seen the proactive rollout of monitoring services like Trueidentity as being a positive mitigating factor. So that can actually help reduce the possible fine levied by the Commissioner... I'm sure Kennedy's in the past have used such things in the defense of legal claims as well.

And then what the breached organisation needs to consider and another place that we support is whether they have the workforce in place to be able to handle inbound calls or emails that could reach from my experience around 10% of those that they've notified of the incident via letter or email that indeed we can support with as well. And those people will be calling in for more information or of course to air their frustrations. So it's important to remember that these calls will be coming at a time where the business is also trying to recover from the incident as you were speaking about, I think, in your first answer, George, so looking to minimise the loss of revenue, even support customer business as usual queries.

So what TransUnion also do is stand up dedicated teams of agents that can support the organization's inbound calls. Once scripted FAQs via an emergency telephone line or indeed provide that inbound email management, again using FAQs, that we've agreed in advance with their external legal counsel like Kennedy's and the client directly, but always specifically related to the incident.

Those teams are trained in crisis communications and major events like these, and actually we find that that really does relieve the pressure on the organizations that we support and helps them to focus on, on the recovery phase of that incident lifecycle. George,  what I want to do now is actually take a step back and look at what an organization can do in preparation for that awful day when they discover a data breach. We know that around half of I.T. professionals, as I mentioned earlier, think there is more pressure than ever to keep data safe. And we also know that the average time to contain a data breach, according to UpGuard. com, is around 70 days. So given those obvious concerns of U.K. businesses at the moment, and then the length of time it takes to discover and contain an incident, what I'd like to do is provide our listeners with some insight into how they could perhaps build an incident response plan from the ground up if they don't have one already, or enhance what they already have in place.

So, we already know that there are various external specialists who can be engaged. Transunion, Kennedy's, crisis PR firms, and of course cyber insurers, which is an area we haven't touched on on today's episode. But where do you even begin in building that response strategy and your incident response plan? And is it essential that businesses include all of those external parties I just mentioned? And furthermore, so just building that question, how often should that plan be reviewed and updated?

GC: The first point to make here is if your listeners have clicked play on this podcast before they've had an incident, then that's a that's a really encouraging sign when it comes to, to cyber readiness, because it means they're thinking about preparing for the worst happening rather than assuming ransomware, business email compromises, and other forms of cyber attacks are only things that happen to other organisations.

Because where we pick up new instructions for clients that have had a ransomware attack or otherwise, and they've had that mentality of, I don't need to worry about this because it won't happen to my organisation. I'm not going to be a primary target for a cyber criminal, tends not to go so well. So the best bit of advice I can give around cyber readiness beyond some of the sort of standard I.T. technical measures around implementation of backups and other considerations, at least from a legal perspective, as you say... the best step is to formulate and implement effective breach response plans that incorporate some of those things we've already discussed around; communications; details of the experts that will need to be contacted; steps to mitigate claims and anything else considered to be of importance.

Those listening carefully just then will notice I referred to breach response plans in the plural. The point there is that there's no use having an off the shelf disaster recovery plan if it's one size fits all and it doesn't take account for the size and the nature of the business that is creating the plan.

So what I tend to say is that ideally companies will have bespoke plans for each form of cyber attack. So one for ransomware, one for business email compromise, et cetera. And those plans would then ideally be stress tested with tweaks made regularly. Something that in the cyber industry you hear a huge amount of, but is very, very relevant here, is that cyber attacks are constantly evolving.

And so too, then, should breach response plans where possible. Q a subtle plug for Kennedy's here, but not intended as any kind of hard sell. But one thing that we tend to offer, and to be clear, there are lots of providers that offer. Similar things, but something that we offer our clients is a ransomware simulation exercise, which is the perfect opportunity to either put a pre existing breach response plan to the test.

So do that stress testing, make sure that it's fit for purpose and make sure that it's still relevant. even though cyber attacks and the threat might have evolved since it was first put into place or go through the mock incident to move into a better position to create a plan or to create plans if our clients don't already have them in place and we, and we help them with factoring in the answers to some of those big questions that we will be asking through that exercise to then feed the response and feed the answers, feed the strategy into a new response plan if one doesn't currently exist.

By keeping on top of the latest threats and speaking to those that work in the industry, it should, at least in theory, be relatively easy to keep breach response plans up to date and relevant as best as possible. And then I think to catch one of the last questions you asked around how often breach response plans should be reviewed, well, I'm bound to say this, but as often as possible, I think if If asked by clients in the past, I've tended to say something like every six months that feels like a sensible period of time to be reviewing it, certainly every year, because the threat landscape changes so much that, as I say, it's important to factor developments in.

Prime example is in terms of how quickly the landscape moves on...multifactor authentication is something that lots of your listeners will at least. aware of if they don't have in place already and a year ago that was deemed absolutely gold service, verging on impenetrable mailboxes if they've got that multifactor authentication in place.

Fast forward. sometime later and we're now starting to see lots and lots of ways in which criminals can bypass that access point if they're so inclined. So the point there is that anything within those plans and frankly, more broadly, anything within policies, whether that's I.T. facing or data protection facing. needs to be kept up to date and in keeping with, with the way that things move forward.

And then I suppose on a more practical basis, the organisation's response team might change. So there's no use creating a plan, including a response team of eight people in January, if by December five of them have left and two of them are about to go on holiday. So, it's largely a judgment call, but six months, has always seemed sensible to me.

I don't know if you agree on that, Mark?

MR: Yeah, 100%. We have stood on stage before and done various interviews where I've spoken about incident response plans or breach response plans being tried and tested regularly. I think six months is about right. You don't obviously want to be reviewing it on a monthly or a quarterly basis because you also want to focus on other areas of the business, but certainly a minimum of every six months is good practice.

If we were to look, George, at everything we've discussed in the episode today, both in the measures and things to do in the event of a data breach and indeed in preparation for that bad day at the office, and you may have answered this already....is there anything you think that organisations get consistently wrong in their response to a data breach? And what our listeners could learn from that?

GC: Yes, it is. Thank you. There's two that, that spring to mind. One is very much born out of the discussion that we've had and the other is, is slightly more general. So there is one common mistake, which I'll introduce slightly tongue in cheek. So for all the time we've spent talking about breach response plans, there will be, I'm certain listeners out there feeling very smug because they've already got breach response plan.

They might even have breach response plans prepared and ready to go but I bet some of those also only hold those plans online within the company's systems. The amount of times now where we've advised clients that have been hit by ransomware, where all of their systems have been taken offline because of the attack, means that those response plans can't then be viewed is terrifying.

So please, please, please, if you are one of those listeners that does already have a breach response plan, print a hard copy. So that's my, that's the more tongue in cheek mistake given how much we've been focusing on the importance of a breach response plan because ultimately it will be redundant in the event that wholesale encryption happens, um, or your systems are taken offline for any other reason.

Couldn't agree more. It's remarkable how frequently it happens. The less tongue in cheek answer is the one which is normally the more expensive mistake to rectify, but it's going out and telling. anyone and everyone that the organisation has suffered a cyber attack immediately on awareness. And I must say, I do have a huge amount of sympathy when that does happen because very often the metaphorical house is on fire.

The knee jerk reaction is we need to be as open and transparent as possible. But the reputational damage of over communicating can be incalculable, and so too can the cost associated with dealing with swathes and swathes of queries that it's far too early in the investigation to answer. So not for a moment am I suggesting that anti communication strategy is the right one, it's just making sure that you're communicating with the right people, um, at the right time.

Straight back to one of the first points that was made... with that regulatory exposure and claims mitigation in mind., and also only what's necessary, right? Exactly. Because if we move into speculation territory, that's when the questions start that we find it really, really difficult to be able to answer.

So keeping it fact specific and to what's necessary, whether that's because it's legally required regulatory expectations or because it's what's set out within contractual provisions, tends to be a really good starting point. Then you move into the territory of, are we a B Corp business? Are we outwardly demonstrating on our website that we are the type of organization that will be open and transparent?

And absolutely factor that in, but making sure that we're only doing it, as you say, where it's necessary and only giving the relevant information to the extent that it's validated at that point.

MR: That brings us to the end of today's episode of the TransUnion podcast. A huge thanks to George for joining me today.

For more information on TransUnion or Kennedy services or to download our new ebook titled Data Breach Support for Businesses, please see the comment section below. You can connect with George and I on LinkedIn or of course send us an email and again we'll put those contact details in the description box alongside this episode.

Thank you so much for listening. Goodbye for now.

This podcast was produced by TransUnion, a global insights and analytics company. The views expressed in this podcast are not necessarily those of TransUnion, and TransUnion is not providing any financial, economic, legal, accounting or tax advice or recommendations in this podcast.

If you’re a consumer with questions or issues related to your personal credit report, drivers history report, disputes, fraud, identity theft, credit report freeze or credit monitoring services, please visit our Customer Enquiries page for assistance.

Contact Us

TransUnion would like to send you original insight, commentary and research on data, software and analytics, early notifications of exclusive events and information about our products and services. If you would like to receive that information, please let us know using the following options:

Business enquiries: If you have a non-sales related query please call us on (+44) 0113 388 4300

Please read our privacy notice , which explains who we are, how we collect and use your personal information and how you can exercise your privacy rights.

We're sorry, your request failed. Please try again in a little while.