Speed Read: In recent months, discussion about the “failure to prevent” model of corporate liability has gained momentum. Considered below is a recent working paper by The White Collar Crime Centre which explores whether the model could apply to data breach.

Introduction

The coming weeks will shed more light on 12 May’s global coordinated ransomwear attack. As at writing, two points can be distilled. First, the scale of the ransomwear attack is unprecedented and likely indicative of the scale of future attacks. Second, the need to bolster the response to data protection and cyber threats is now firmly on the government and corporate agenda. Against this background, it can be expected that debate will turn to whether corporates are doing enough to facilitate good awareness on the issue of cyber security and data protection and are taking sufficient preventative measures against an attack. Is there a better way to, in the words of the UK’s Information Commission Officer (“ICO”) following the TalkTalk data leak in 2015, make the issue of cyber security a “boardroom issue”? [1]

The White Collar Crime Centre’s recent working paper raises the potential to expand corporate criminal liability in relation to data protection breach. Essentially, it considers the benefits and disadvantages of a new corporate offence of “failure to prevent” modelled on equivalent provisions in the Bribery Act 2010 and, more recently, the Criminal Finances Act 2017. A summary of the working paper is below.

GDPR

Arguably, a call for corporates to become more proactive in preventing data breaches is reflected in the new EU General Data Protection Regulation (“GDPR”), set to come into force for all EU member states in May 2018. The GDPR requires companies to demonstrate that they have done everything in their power to secure personal data or otherwise risk a fine, potentially calculated according to worldwide turnover. With the UK’s withdrawal from the EU set in stone, it is a live question as to whether or not the GDPR or an equivalent framework will become a part of UK law. In the light of this, there is arguably more room than ever before for the UK to tailor its response to data breach prevention.

A boardroom issue

From a broad perspective, it is hard to imagine why a corporate entity would not want to make the protection of data a boardroom priority. The reputational fallout, potential legal costs following legal suit, loss of revenue from individuals choosing to no longer use the corporate’s services or products and a host of restoration expenses are but a few of the potential consequences that follow a cyber-attack. According to a 2016 UK Government report, 69% of 1,000 UK businesses surveyed placed cyber-security high on the senior management agendas. However, only 51% had taken active steps to identify IT and cyber risks, with just 29% having formal cyber-security policies in place and a meagre 10% with official incident management plans.[2] The working paper subsequently questions whether the UK’s legislative regime places enough pressure on corporates to implement robust data protection policies and queries whether the in terrorem effect of the criminal law would force the corporate’s hand to take the issue of cyber threats and data breach more seriously.

UK regime

The current UK legislative regime governing the data protection space is the Data Protection Act 1998 (“DPA”). Sections 55 and 61 are most relevant to corporate liability. Sections 55(1) and (3) of the DPA provide that “a person” (which at law includes a corporate person) commits a criminal offence if they knowingly or recklessly obtain or disclose personal data without the consent of the data controller, or procure such a disclosure to another person. Sections 55(4) and (5) prohibit selling or offering to sell information that has been illegally obtained.

In relation to corporate entities, section 61 of the DPA extends criminal liability for offences that have been committed “with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity.” The section thus provides that top-level management could be held liable for data breaches. Importantly, however, the DPA contains no provision to impose a custodial sentence or empower a law enforcement authority to arrest an individual. The only remedial option available for a conviction under the DPA is the imposition of a fine. Further, although technically corporates can be prosecuted for data breach under section 55 this is subject to the satisfaction of the “identification doctrine” which is central to corporate criminal liability in the UK. At its simplest, the doctrine requires that the criminal acts be attributable to an individual who is the ‘directing mind’ of a company in order for the company to be criminally liable for those acts.

In large companies or companies where responsibilities are subdivided, attributing a data breach to a person who is the ‘directing mind’ of a company can be a very difficult task. In the light of this, there is arguably a legislative lacuna when it comes to corporate liability for data breach and the potential for alternative models of liability to be considered. That is, of course, subject to consideration as to whether a purely regulatory response is a better way of handling data breach matters. Currently, the regulatory approach is favoured in the UK.

Possibility for reform

The White Collar Crime Centre’s working paper proposes reforming the DPA by introducing data protection into the “failure to prevent” framework. The model proposed largely reflects the strict liability approach adopted in section 7 of the Bribery Act 2010 (“BA”). Section 7 of the BA provides that a commercial entity will be guilty of a criminal offence if it “fails to prevent” bribery by persons associated with it. The BA defines an “associated person” to include those performing services for or on behalf of the company, however much ambiguity surrounds the scope and reach of the number of persons who could fall within this category of persons. Section 7 of the BA provides corporates with a complete defence if they are able to prove that they had “adequate procedures” in place designed to prevent bribery. In a similar vein, the proposed new offence could be structured in such a way so as to hold a corporate criminally liable for failing to prevent data breaches where there is a nexus with an associated person. Going further than this, an offence could even potentially be configured without a nexus to an associated person if it was considered that, in the context of cyber attacks and data breach, identifying the individual involved let alone identifying whether he or she was in some way “associated” posed too high a bar to liability.

A complete defence, as per the section 7 offence, would be available to a corporate entities where it could show that it had “adequate procedures” in place to prevent the breach. An offence of such a kind would be in line with what would appear to be a growing trend towards implementing such failure to prevent offences. The Criminal Finances Act 2017 contains the new corporate offence of “failure to prevent the corporate facilitation of tax evasion” and the recent UK Government’s call for evidence on corporate liability for economic crime presented, as an option, the creation of a corporate offence of “failure to prevent economic crime”.

Pros / cons

Legislating in this manner in the data protection sphere is not without merit. First, it would make corporate criminal prosecution a real option for law enforcement authorities; an option that is currently rarely utilised owing, arguably, to the difficulties with the identification doctrine. Importantly, corporations would have a complete defence at their disposal if they could show that proportionate to their size and nature of business they did impose adequate safeguards. This seems only appropriate – and moreover, fair – in an increasingly digitised world where companies are entrusted with an enormous amount of personal data. Such a stance arguably also helps corporates. In order to function day-to-day, to benchmark their business activities, assist customers and comply with legal obligations corporates need to be able to properly store and secure data. Moreover, a strict liability offence of such a kind would lead to a more proactive law enforcement model, as at the frameworks heart is the concept of prevention, rather than the reactive model currently adopted. [3] This would in turn encourage companies to not only ensure that their systems and security policies are up to date but to take an active role in the enforcement of the law. It would also lead to clarity as to when a corporate would be exposed to criminal liability.

All this is not to overlook the potential concerns with the proposed new model. First, although the BA section 7 offence has been ‘on the books’ for nearly 7 years, no prosecution has been bought under it. Its efficacy is therefore not clear cut. A recent OECD report noted that the presence of the section 7 offence provided companies with an “incentive for legal persons to adopt adequate corporate compliance measures and internal controls.”[4] Naturally, corporates will need to implement adequate procedures to ensure that their systems and policies are up to date and this will come at a cost. The cost of doing so will not be insignificant. However, arguably, corporates already bear these costs. As highlighted by the working paper, the link between adequate procedures and data protection already exists as the ICO is required to consider the adequacy of the company’s security measures when a breach is brought to their attention. Moreover, it’s important to recognise that companies can be victims of cyber-attacks themselves and this should be reflected, to a degree, in any legislative reform. In effect, it falls to be considered how fair, if at all, it is to prosecute a company for failing to prevent a data breach in circumstances where the company itself suffered significant harm. This is potentially something that could be considered on a case by case basis, applying a public interest test. Ultimately, the answer to this question should be balanced against the importance of ensuring that in an ever-increasing digital age companies take data protection seriously. Lastly, it could be said that a wider call for corporate criminal liability with respect to data breach is entirely premature and, instead, regulatory options should be preferred.

The White Collar Crime Centre’s working paper is one perspective on potential reform in this growing area. In considering a new corporate criminal offence of failing to prevent data breach, it prompts a timely discussion on an increasingly common activity that, as recent events have shown, can cause immense harm to individuals, corporations and governments.