The coming into force of the General Data Protection Regulation in 2018 will bring a duty to report data breaches for companies, with widespread implications.
- The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, introducing a duty to notify the Information Commissioner’s Office (ICO) of data breaches.
- Fines of a much greater magnitude can be levied by the ICO on companies failing to comply with this duty and, where personal data has been leaked, follow on claims can be expected.
- Reporting companies can expect to be asked to conduct investigations into cyber security breaches and report to the ICO.
Mandatory notifications of data breaches
2018 will see the implementation of the GDPR and its mandatory duty on data controllers in the UK to notify the ICO of a data breach involving personal data. We expect mandatory reporting to increase the risk of enforcement and civil litigation for corporations following cyber security incidents - whether as a result of malware, rogue employees or the poor security of third parties holding corporate data.
Companies must be prepared to assist the ICO and other law enforcement agencies to investigate the nature, source and ramifications of cyber security incidents, as the ICO will look to the private sector for assistance to investigate and disrupt cyber crime effectively.
2017 saw a swathe of major cyber security incidents - from the “WannaCry” ransomware attack causing losses of $8bn worldwide, to the “Petya” infection of a major law firm’s global IT network and hundreds of thousands of customer details being seized from Wonga and Three Mobile amongst others. The global dataset continues to amplify, and so too does the value (and vulnerability) of holding data for business. Meanwhile the most significant risks to cyber security continue to grow. The headlines of 2017 have served to underline the calamitous impact of a data breach on revenue and reputation. In 2018, regulatory changes will heighten the enforcement and litigation risk, and further focus corporate risk departments on cyber security.
Source: European Networking and Information Security Agency, ENISA Threat Landscape, January 2017
GDPR and enforcement
The GDPR comes into effect on 25 May 2018 and will make notification of personal data breaches mandatory for data controllers whether these breaches result from criminal conduct, negligent loss, or even actions (or inaction) of service providers. At present such reporting only represents good practice. This has demonstrably not always been followed: recent revelations have shown companies have failed to disclose major attacks that involved data breaches.
We expect that compulsory reporting may prompt a surge in notifications to the ICO. In 2016/17 the ICO concluded 17,300 cases. It is reasonable to suspect that the ICO’s case load will expand significantly, particularly if the prospect of severe GDPR fines prompts companies to report data breaches extensively (and defensively). Even with greater resources, we would expect to see the ICO outsourcing part of its investigative role to the companies reporting data breaches - mirroring the public-private information-sharing partnerships we are observing across various regulators involved in the disruption of financial crime. Companies therefore must be prepared to cooperate and support the ICO (and other authorities) in investigating cyber security incidents, once reported.
As more incidents are reported, companies can anticipate more frequent enforcement action. To date, the largest fine imposed by the ICO was £400,000 on TalkTalk, in August 2017. Under the GDPR, the fines now available to the ICO - of up to 4% of annual turnover - will be severe. While these may largely serve as headline deterrents, at least initially, we will be closely watching the approach taken by the ICO to its enforcement powers from May 2018.
Civil follow-on claims
In addition to regulatory enforcement, civil claims may be brought against businesses as a result of cyber security incidents. We expect that the transparency brought about by mandatory reporting and a higher number of investigations is likely to increase the frequency of such follow-on claims.
The recent judgment in Various Claimants v VM Morrisons Supermarket plc marked the first data leak collective action in the UK - and, in our view, may be the first of many. The court held that Morrisons was vicariously liable for the criminal leak of personal information by one of its employees, even though he acted maliciously to damage the company. This precedent clearly increases the litigation risk that employers must take into account when designing their cyber-security systems and processes.
A survey of the FTSE 350 in August 2017 found that more than half of the UK’s largest public companies had not taken the actions recommended by the National Cyber Security Centre to identify cyber security risk, while one in ten lacked a plan as to how to respond to such an incident. As companies prepare for the introduction of the GDPR, we advise careful consideration of new reporting obligations to the ICO and the development (and practice) of an incident response plan that recognises ongoing cooperation with the ICO and law enforcement.