Summary

Ready for the Inevitable?

Barely a day goes by without a data breach hitting the headlines. It is becoming a fact of life for any firm holding data that, from time to time, some of that data might be lost, stolen, encrypted or otherwise compromised. Firms in the financial sector are particularly vulnerable given the very large volumes of sensitive data they typically hold. So while firms can and should ensure they have all appropriate protections in place to prevent a data breach, they need to know how to respond when it happens. Here are some of the key issues to think about.

1. Mobilise quickly

Identify in advance the people who should be involved in responding to a breach. That may include a range of internal stakeholders – the Data Protection Officer (if there is one) and representatives from IT Security, Legal, Compliance, Corporate Communications and HR. However if the group is too large, decision-making can be inhibited and the risks of information leaking increase. The team should have decision-making authority as a number of critical decisions may need to be made quickly. In addition, identify a panel of pre-vetted specialist forensic investigators and consider instructing them at an early stage. They will preserve the evidential trail while getting to the bottom of key questions, for example: What is the root cause of the incident and how can it be contained? Where is any malware contained and how can it be removed? How long has any bad actor had access to the system and what activity did they undertake?

2. Notify regulators

UK-based firms now have to report personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours where there is a risk to the rights and freedoms of natural persons. In reality, firms will often still be grappling with what has happened in that period and may need to file a preliminary notification until the facts are clearer. Firms authorised by the FCA/PRA will also have parallel regulatory notification obligations. The Memorandum of Understanding between the FCA and ICO (updated in February 2019) makes clear that the regulators will communicate regularly and share information about potential breaches of the regulations enforced by each of them. Typically, you will want to be on the front foot in simultaneously notifying the ICO and the financial regulators, rather than risk one regulator hearing about the breach from another. It is interesting to note that the FCA has publicly criticised what it calls “material under-reporting” of cyber incidents by firms in the regulated sector; by contrast, the ICO feels firms are over-reporting. Do not also lose sight of any overseas regulatory reporting obligations – the consequences of a data breach are often not confined to a single jurisdiction.

3. Notify customers

The EU General Data Protection Regulation (GDPR) GDPR requires firms to inform individuals if the breach is “likely to result in a high risk to the rights and freedoms of natural persons”. There is no prescribed methodology for assessing the likelihood and severity of the risk, but clients will typically be considering the type of data and the numbers affected. So, for example, account details or passwords will have a higher risk than mere names or genders. Firms should also consider any mitigating/aggravating factors, such as whether any lost data was encrypted. The test may be difficult to apply in the early stages, and firms will need to assess when it is prudent to warn customers. Whilst you will want to provide some reassurance to customers in the notifications, be careful about committing to any definitive facts which are still being investigated. The notification should include the information required under the GDPR, including the measures taken to address the breach and mitigate its effect. You may also wish to offer credit monitoring services where appropriate and include steps the customers should themselves take to mitigate risk, such as changing passwords.

4. Notify insurers

Cyber breach insurance policies are already common in the US and are increasingly being used in Europe also. It is noteworthy that the Court of Appeal in the Morrisons group litigation positively encouraged firms to take out insurance for data breaches. Review your policy carefully in advance in order to consider coverage gaps and exclusions. A recent high profile dispute with an insurer arising from the NotPetya attack is based on an exclusion for “hostile or warlike action” and is a case in point. Where a firm has a policy, early notification is important to ensuring coverage.

5. Consider data processors

If the breach has emanated from an external vendor, you will want to call for information from them quickly and you should therefore ensure that you have contractual rights in your agreements. You will also want your vendor to assume responsibility for all response costs – although any indemnification which purported to extend coverage to fines imposed on the controller may fall foul of public policy grounds and be in breach of regulatory rules.

6. Evaluate potential expsoure

The €20m/4% of global turnover figures for financial penalties have made headlines, but that is not the only potential exposure in the case of data loss incidents. Civil litigation could ensue and, whilst there is no fully-fledged opt-out class action system in the UK, there are other mechanisms for group litigation which we have recently seen used in the Courts following a data breach. In addition, there is always the possibility of a collective redress scheme being imposed by the financial regulators.

In summary

A data breach does not have to be armageddon for a business. The best thing you can do to prepare for a data breach is to assess the full range of consequences well before any breach occurs. Otherwise, you can end up grappling with important issues for the first time in a pressurised and fast-moving environment. It can be helpful to “war-game” how you would react to a breach with your key stakeholders.