In September, we discussed some of the issues an organisation faces if it suffers a security breach which involves personal data relating to its customers, staff or other individuals. Since then security breaches have continued to make the headlines and those affected continue to be concerned about the potential impact, not least in cases involving the possibility of leaked customer account details.

What?

Three key questions

An organisation will need to act swiftly following any data security breach, so it is vital to have policies and procedures in place which consider how the organisation will respond if a breach arises. Three key questions the organisation will need to ask are as follows:

  • Are we legally required to inform the Information Commissioner’s Office (“ICO”) about the breach?
  • Even if we are not legally required to inform the ICO, is this breach serious enough that the ICO will expect to be informed?
  • Should we issue communications about the breach to our customers, staff or other individuals who are the subjects of the data?

So what?

  1.  Is our organisation legally required to inform the ICO of data security breaches?

At present, in the UK, organisations are legally required to inform the ICO of data security breaches if they are “service providers” under the Privacy and Communications (EC Directive) Regulations 2003 (“PECR”).

As the ICO explain, this covers “in essence … someone who provides any service allowing members of the public to send electronic messages”. It will include telecoms providers and internet service providers.” The definition may also cover organisations providing public Wi-Fi networks to their customers. There is a specific exclusion in the definition for providers of “content services” – the ICO give shopping portals or online newspapers as examples of content services.

Organisations that are covered by PECR must notify the ICO of a breach within 24 hours of its detection. There is no minimum level of seriousness required, as the ICO explains, even release of securely encrypted data should still technically be notified. Where PECR applies, organisations must also inform users or subscribers of any breach that is “likely to adversely affect […their] personal data or privacy”.

As well as PECR, industry-specific reporting requirements also apply to organisations who are regulated by the Financial Conduct Authority. Any organisations who are unclear as to whether they fall under PECR or the FCA reporting regime should seek specialist legal advice.

  1.  Even if we are not legally required to inform the ICO, is this breach serious enough that the ICO will expect to be informed?

Even where there is no legal requirement to report, the ICO have made it clear that they expect to be informed of any “serious breach” in relation to personal data, in order to help them perform their function, provide advice and deal with complaints.

Failure to disclose could potentially lead to a harsher penalty should the breach come to the attention of the ICO. The ICO have stated that it is not their approach to publicise security breaches they are informed of that are not already in the public domain, although they may advise the organisation itself to do this.

The key points of ICO guidance on whether a breach is sufficiently serious to require notification include the following:

  • The overriding consideration is the potential detriment to individuals (including emotional distress as well as both physical and financial damage). Examples of detriment include exposure to identity theft and information about private aspects of an individual’s life becoming known to others.
  • Conversely, if there is little risk of significant detriment then an organisation need not notify the ICO. Examples given include the theft of a laptop which is properly encrypted or data which was already publicly available.
  • Low volumes of data where there is no particular sensitivity are not reportable. However, every case must be judged on its own merits and if the organisation “is unsure of whether or not report, the presumption should be to report”.
  • Sufficiently sensitive data may require reporting even if only one record is released, linking to the overriding consideration of detriment to the individual.
  1. Should we issue communications about the breach to our customers, staff or other individuals who are the subjects of the data?

Where communicating details of the breach is not legally required, this can be one of the most difficult decisions for organisations to take. The ICO are clear that communicating to the subjects of the data breach is not required in every situation. Additionally, the ICO reiterate that communicating a breach to individuals should not be an end in itself – it should have a clear purpose (for example, to enable the individuals to act to protect themselves from fraud).

Amongst the considerations are:

  • Will informing the individuals help them? Can they act to reduce the harm they might suffer (for example, cancelling credit cards, changing passwords, being more alert to potential fraud)?
  • It should be noted that helping an individual to mitigate any financial loss they may suffer will also have an effect on the amount of a claim they may have against the organisation.
  • Take care not to “over-notify”. For example, if a breach only relates to a small proportion of customers and an organisation chooses to inform all of its customers about the breach it may create a risk of disproportionate enquiries from unaffected individuals.

The commercial factors which may influence an organisation considering whether to communicate any breaches to individuals include:

  • Is the breach already public knowledge?
  • If so, it may be beneficial to attempt to gain some sort of control over the reporting of the breach and provide clear information of what has happened and how the organisation has dealt with it.
  • What would be the potential outcome if we didn’t inform the individuals and the breach later came to their attention from other sources?

It could add further damage to a brand if it was perceived to have tried to cover up the breach.

In summary, unless the organisation has a legal duty to notify the breach to the ICO and inform the affected individuals, it faces difficult decisions as to whether it notifies the ICO and whether it goes public with the breach or not. One of the key things will be for it to balance the risks of disclosing the breach against the risks of not disclosing. In most circumstances it will be advisable to make this decision at a very early stage, and therefore, it is imperative that the organisation has systems in place which enable senior management to be informed of any breaches as soon as possible so that they can respond in a timely manner.