As the recent posting of almost 10gb of sensitive customer data belonging to the infidelity dating website Ashley Madison has shown, suffering a security breach has the potential to wreck untold havoc on a business’s brand, operations and finances and could lead to the capsizing of successful and profit making businesses in a maelstrom of reputational damage, regulatory fines and customer legal action.
As the Ashley Madison and other recent data exposures have shown, it is now increasingly important to consider the legal repercussions of a breach, as the clock can start ticking from the moment a breach is identified, to the threshold of a company’s reporting obligations. The Data Protection Act 1998 (“DPA”) and the Privacy and Communications (EC Directive) Regulations 2003 (“PECR”) impose responsibilities, obligations and duties on a company that has suffered an IT breach which has compromised the security of its customers’ personal data. It is imperative to appreciate what steps should be taken to mitigate legal and reputational risk after an IT security failure.
Disclosing a breach
The most important obligation is for companies to disclose all “serious data security breaches” to the Information Commissioners Office (“ICO”), the UK’s privacy and information regulator. As a guide in analysing the seriousness of any breach, the ICO recommends that companies assess the likely detriment to the individuals affected by the breach (e.g. exposure to ID theft, information about their private lives etc.) as well as the sensitivity and volume of the data involved.
Where a company is a “telecoms or internet service provider” under PECR, (in practice this is complex, but is likely to include mobile phone network providers, Wi-Fi internet providers and potentially, even businesses which offer a public Wi-Fi network to customers (e.g. shopping centres)), it must notify the ICO within 24 hours of the breach being detected. Telecoms or internet service providers are also obliged to inform consumers of the breach if it is likely to cause them adverse harm.
Financial services providers should also be aware of their own particular reporting obligations. The Financial Conduct Authority expects providers to protect themselves and their customers against cyber threats and the punishments that can be imposed for a failure to meet these duties. The Financial Conduct Authority has recently imposed fines of over £3 million on three banking companies for failing to ensure that they had adequate systems to protect their customer’s confidential details from being compromised.
Loss of data and the ICO
A security breach can take many forms but a common factor is the stealing of customer records and data by a hacker or hackers. Companies to have suffered such breaches in the past five years include Bank of Scotland, Sony, and Staysure Insurance. The ICO can impose fines of up to £500,000 for such security breaches, together with publicly sanctioning companies it finds to be in breach of the security obligations under the DPA, bringing consumer scrutiny and reputational damage.
The breach of Sony’s PlayStation Network Platform in 2011 which led to a range of customer personal data being exposed warranted a fine of £250,000 from the ICO although this fine could potentially have been much larger if it were not for several mitigating factors in Sony’s defence which the ICO took into account.
Companies should be aware that the penalties for breach of the data protection legislation, including loss of data, are likely to be increasingly severe in the future as the draft Data Protection Regulation (the “Regulation”) progresses through the EU Legislative process. The Regulation will be binding on all EU member states when it comes into force and will impact all organisations which process personal data. Whilst the Regulation is still in draft form (with the final form not expected to be agreed until the end of 2015/early 2016 and implementation in or around 2017/2018), it is currently proposed that companies in breach of data protection legislation will be subject to fines of up to between 2-5% of their global annual turnover up to specified caps – depending on whether the Commission, Council or Parliament view holds out.
Another key element of the Regulation is a duty on companies to report data security breaches to the regulator “without undue delay” and where feasible, within 72 hours of becoming aware of the breach, as well as a duty to inform the individuals affected. This will apply where the breach is likely to present a “high risk” for the rights/freedoms of the affected individuals, e.g. financial loss, identity theft, discrimination.
What can you do?
The ICO regularly publishes guidance on data security breach management which sets out the regulator’s expectations of the IT security measures it expects from companies under the DPA. This guidance together with the ICO’s reports of cases where it has found companies guilty of failing to comply with data protection legislation provide illuminating guidance of the approach that companies are expected to take and what the ICO considers to be best practice.
Companies are expected, not only to protect their personal data but also, as part of that, to maintain plans of how to deal with and respond to potential IT security breaches. They should adopt a proactive mindset, linking in with other crisis management protocols they may have and colleagues elsewhere in the organisation, such as legal, HR, and the PR/marketing team, to consider how they would be able to respond to breaches. In these scenarios, the ICO and other regulators will look at the methods and procedures that they have used in order to maintain strong, effective and regularly updated defences against data loss and misuse. This may include data management or protection policies which all staff handling personal data are aware of, appropriate record retention/destruction policies and processes, appropriate data categorisation, regular updating of IT security mechanisms and tools related to that categorisation, regular training and awareness raising, audits, and procedures and plans for dealing with IT security breaches so as to minimise loss from the breach.