Our Head of Media Disputes, Ryan Dunleavy, comments below on the MGM Resorts data breach and what companies should do when faced with a data privacy incident.
At the end of last week, the latest headline-grabbing data breach story erupted in the media. It was an incident that led to the release of information relating to more than ten million hotel guests of MGM Resorts. According to media reports, the stolen data is thought to relate to people who stayed at the resorts up until 2017.
The information had reportedly been hacked in the summer of 2019 but is said to have been posted on a hacking forum last week. Press reports said that it included names, addresses and passport numbers of people who had stayed at MGM Resorts.
There was a frenzy of press attention around this data breach last week, partly because among those affected were celebrities, CEOs, journalists, government officials and other high profile individuals who carefully guard their privacy and public “brands”.
MGM Resorts said that in accordance with applicable state laws in the US, it told impacted guests about the hack in 2019.
The cost of corporate data breaches
The MGM Resorts data breach may have affected more than ten million people, but it is nowhere close to Marriott International’s well-documented data breach. Marriott notified its breach to the UK’s Information Commissioner’s Office (ICO) in November 2018, after it discovered the data incident in that year. The Marriott breach affected about 339 million Marriott guests
There have been more than 160,000 data-breach notifications received by European data protection authorities since the GDPR came into force in May 2018. There have also been a large number of separate data breach notifications in the US in this timeframe.
A data breach costs a company an average of US$3.88m in the UK, according to a 2019 report by IBM Ponemon. This figure is based on interviews with more than 500 companies that experienced recent data breaches. Various cost factors were taken into account by IBM Ponemon for the report, including legal, regulatory and technical activities, loss of brand equity, customer turnover, and drain on employee productivity. The report states that globally the average cost of a data breach is US$3.92m.
What can a company do when it is faced with a data incident?
Incident response plan and team
As soon as a suspected data incident has occurred, a company should follow its pre-prepared incident response plan and engage its identified stakeholders within that plan. Different stakeholders have their own responsibilities when an incident has taken place.
Businesses are likely to need to consult stakeholders with the following functions: information security and/or information technology, legal, human resources, marketing, business development, communications and public relations, finance, the president/CEO, and customer care. Trade union officers may also need to be consulted, depending on the circumstances.
It is important for a company to know the roster of stakeholders before an incident takes place.
Not all data incidents require notification, but some do, and notification is often mandatory.
The first thing to do when there has been a data incident is to decide whether notification is required, and if so, to which authorities and (sometimes) individuals.
Whether they are in-house or external, best practice is to seek the advice of lawyers to help discern the position on notification, and whether it is necessary. Specialist lawyers should be well-versed in the relevant laws and regulations of the different jurisdictions that could apply to the situation, or have a reliable network of lawyers at different firms in various jurisdictions who can assist with notifications across the globe. It may be an administratively costly mistake to make a notification that is not required which sets a regulatory process in train that then needs to be completed.
Companies also need to be aware that different jurisdictions impose their own notification requirements. It is not solely the European jurisdictions that businesses should be aware of. The US, in particular, has its own notification requirements on a state-by-state basis, and also has industry-specific federal laws that require notification of data privacy breaches.
The methods, timings, and recipients of notifications can vary as well. Failure to notify a notifiable breach to the proper entities and individuals in the correct way, and at the right time, exposes organisations to potential enforcement action by regulators.
Whether a company needs to make formal notifications about a data incident or not, an incident can cause significant reputational damage to a company. This can lead to loss of revenue, customers, business relationships, investors, and staff, as well as issues in attracting all those things in the future, not to mention a drop in stock value.
As such, a company will need to consider the reputational impact of a data privacy incident, and whether it would be advisable to hire a media crisis communications company to deal with potential or actual coverage in the press and on social media.
Specialist media disputes lawyers can act in tandem with communications teams and companies to use various regulatory and legal tools to help mitigate reputational damage or risk. Media organisations are subject to their own regulators in terms of what they can and cannot report, and the courts can be used to protect the reputations of businesses, such as through injunctive relief.
The importance of legal professional privilege
When a data incident is being investigated and contained, it is advantageous to a company for many of its communications relating to the incident to be protected from disclosure to third parties and the courts by legal professional privilege. It can only do this through lawyers.
The underlying purpose of legal professional privilege is to allow free access to a lawyer’s professional skill and judgment. It is important to note that legal advice privilege and litigation privilege are different types of legal professional privilege.
Many communications can be channelled through lawyers in ways that attract privilege. Various legal tests are applied to discern whether legal professional privilege should apply to communications, and lawyers can assist companies in navigating through this legal minefield.
Regulatory investigations and fines
Lawyers can also be instructed to represent companies facing regulatory investigations, which can result in significant fines by regulators. For example, the UK’s ICO can impose a fine of up to €20m or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In addition to regulatory fines, companies can be sued for compensation. These may be for large sums, particularly in class actions. An example is the multi-billion pound compensation claim of Lloyd v Google that is currently making its way to the UK’s Supreme Court, incurring millions of pounds of legal costs on the way.
The above is a brief summary of some initial responses that should be taken after there has been a data incident. It is not to be relied upon as a comprehensive assessment of everything that a company should do in the event of a data incident. All businesses in the digital age should have well thought out and easy to follow incident response plans, and stakeholders should be engaged with them before there is an incident.
Companies should also ensure that their staff are adequately trained to avoid breaches, as best they can be, and to respond to them when they happen. Businesses should also ensure that necessary insurance coverage is in place, including cyber-liability insurance.