As featured in the 26th May 2014 print edition of The Lawyer:
From opening mail to sifting through rubbish, there have always been determined individuals willing to go to great lengths to get their hands on sensitive information. Today’s methods for gathering business-critical information is less ‘hands on’ but just as devious. Phishing, spamming and the actions of a single employee are all ways in which private data can fall into the hands of the wrong person.
A data loss incident, irrespective of whether it stems from internal action or an external attack, can happen at any time and is never convenient. That is why businesses need to ascertain what they can do proactively to mitigate the risk of a data breach, so that when a breach does occur, proven and tested processes are in place to deal with the issue alongside day to day operations. From a reputation perspective, if a business is unable to show that it has taken all reasonable steps to protect its systems and the information of its customers, not only does it risk breaching its regulatory obligations, but its reputation will also be at risk.
The last piece of legislation to address the issue of data protection is now sixteen years old and is no longer fit for purpose. With data technology having advanced at a record pace over the last decade, the sheer volume of data that businesses hold, coupled with the international nature of our online activities, means that our data is now everywhere and easily accessible to anyone with the right know how.
General Data Protection Regulation (“GDPR”), currently being negotiated in the EU, is attempting to address this issue by providing a harmonised approach to data protection across all 28 member states. It is anticipated that an agreed form of the GDPR will be in place by the end of 2014 with implementation to follow two years later. Whilst it is hard to quantify the reputational damage stemming from a data breach, the new reporting requirements of the GDPR, in addition to increased fines, will act as a signifier to the markets regarding the general care and competence of a business. This will vary depending on the industry in which a business operates but it is clear that compliance will not be a straightforward task and is likely to require significant investment, both in time and resources. By understanding the data protection legislative landscape and by carrying out pre-emptive preparation to deal with a data breach, businesses will be well positioned to defend themselves.
Claims earlier this year that a leading high street bank was hit by a significant data breach is only the latest in a long line of UK and US businesses to be hit by data loss in recent years. What is critical and abundantly clear from this incident is the importance of the business response to a breach – to ensure that any adverse reputational impact is managed and mitigated. From a reputation perspective, an effective data breach response is underpinned by five key principles:
- Be fast – when a breach occurs, businesses will only have a limited amount of time to report it. Indecision can be fatal but so too is acting rashly. Preparation will help ensure you make the right decisions quickly.
- Be cohesive – It may be convenient to make data breach the responsibility of one person, but you’ll require an array of functions to click into place in order to isolate and close the breach, ensure legally compliant reporting, notify customers and handle the media. Each member of your team needs to understand how their role fits into the bigger picture.
- Be mindful of reputational fallout – The real threat does not stem from the incident itself, but the lasting damage it can do to your brand. Handling a breach effectively will determine how the breach is reflected in subsequent media coverage.
- Focus on the human factor – Policy and procedures are important, but whether malicious or accidental, the common theme in all data breaches is the human factor. Work with your HR teams to ensure every individual in your organisation understands their role in guaranteeing your business emerges with its reputation and bottom line intact.
- Practice your response – A full scale dress rehearsal will allow you to simulate a data breach so that the right calls become second nature.
I am often approached by organisations in the midst of reputation sensitive situations. Ultimately, every business at one time or another will find itself on the back foot when it comes to protecting its reputation. But whenever I speak to general counsel and their communications teams, the story I hear is that they have been fighting a rear guard action for some time and are exerting considerable effort just trying to keep up with the steady stream of media enquiries and damaging headlines.
That is why when it comes to a data breach, businesses need to pre-emptively identify and anticipate impending reputation threats that may result from a breach in order to put themselves on the front foot. Law at the speed of reputation requires an informed and fast response so that when a data breach does occur, it can be handled effectively and reflected fairly in any resulting media coverage.