A data privacy breach can quickly cause immeasurable damage to a company's reputation. It can affect a company's brand, public perception, customer trust, future communications strategies and advertising, regulatory record, bottom line, share price and even destroy a company entirely. Where the breach involves personal data about the public, the stakes are particularly high.
Data breaches have always attracted considerable media attention. This will only continue now that the GDPR is in force, imposing additional obligations on companies and expanding the territorial scope of data protection law and its application. The net result is that a greater number of companies must now comply with EU data protection laws, with the possibility of tougher regulatory action and sanctions as well as civil litigation if they get it wrong.
Individuals are also becoming more aware of the issues and of their rights. They are increasingly taking an interest in how their data is being used and protected, fuelled by the GDPR as well as antipathy towards large online companies, the increasing monetization of data and reports of profiling and harvesting of personal data for political and other ends.
Inaccurate reporting risks
When reporting data breach allegations, the media may not always get it right. Where false and defamatory allegations are published (and/or then republished) about a company, it might have a legal claim for defamation with the possibility of recovering damages and an apology or clarification.
Correcting false allegations made in the media is important to protect a company's long term reputation. Legal pressure can be applied prior to publication of defamatory allegations to try to stop the story, reduce the severity of the allegation published or to help put the company's side of the story across in the article. The best opportunity to influence a story is before publication although time (usually due to short deadlines given by enquiring journalists) is very much of the essence.
Similarly, where the breach relates to a company's confidential information, there might be scope to prevent the information (although not the fact of the breach) being published.
If a business wants to get ahead of a data breach story, it should:
- Appoint a team, including reputation management lawyers, and prepare a legal and communications strategy that can be deployed in a crisis. This must involve establishing the facts around the data breach and taking careful advice on pre-prepared, reactive media statements.
- Decide on whether a dual legal and communications approach is required if approached pre-publication by a journalist with questions about a breach. Note that it will almost always be impossible to obtain an injunction to stop the publication of defamatory allegations, whereas it may be possible to obtain an injunction to stop the publication of a company's confidential information (see our article).
- Tackle a threat to publish false allegations (of blame, for example) taking a legal approach to explain why they are false, the financial damage that publication would cause (companies must prove this under section 1 of the Defamation Act 2013 to have an actionable claim) and the legal consequences of going ahead with publication regardless, in order to apply pressure on the publisher to back down.
- If a story breaks containing false allegations, consider circulating a legal notice explaining the falsities to other media to stop the wider republication of the allegations or issuing a reactive statement to counter-act a misleading story and any damaging narrative growing on social media.
- An approach to the original publisher for a correction, clarification or apology, or, if possible, the removal of the story online should be made. If they refuse, advice should be taken on the merits of threatening legal action. If the publisher is regulated, and as an alternative to legal action, consider making a complaint to IPSO (or to OFCOM if a broadcaster) on the basis that the story is inaccurate.
Where a foreign website based in a jurisdiction which is unlikely to recognise your legal arguments publishes private, confidential or defamatory information, or illegally processes data, it might be possible (following Cartier v BT) to seek a blocking injunction in the UK courts to prevent the UK public accessing such sites. However, this is as yet untested.
Greater Parliamentary scrutiny
Correcting the public record is essential because information in the public domain may become the basis for further inquiries, for example, by government watchdogs and regulators who have the power to summon witnesses to attend before them for questioning.
As has been seen recently by the inquiry into 'fake news' by the Digital, Culture, Media and Sport Committee in the UK, questions can be asked about allegations under the protection of parliamentary privilege allowing the media to republish or broadcast allegations discussed in those proceedings without fear of legal action, often shortly after the session itself has taken place.
The press and the public may attend these sessions, which are recorded, with transcripts made available, and broadcast live online to the world, increasing the pressure on those being questioned who are often protecting their own or their company's reputation in real time during the questioning. Preparation for these sessions is essential, especially as this type of appearance is a widely used, free and privileged source for further media coverage.
Cyberattacks, blackmail and the police
Cyberattacks are increasing and data-rich companies are key targets. An attacker might steal data and other information, through hacking. Increasingly, attackers then try to blackmail the company by demanding money in return for agreeing to give back the stolen data and not publish it online or sell it to competitors. But suppose that the company being blackmailed does not want to pay up, causing a potentially massive risk to its reputation if data and information is then leaked online?
In two 2018 cases, Clarkson Plc v Person or Persons Unknown and PML v Person(s) Unknown, an unknown hacker gained access to and stole confidential information from the companies' IT systems, threatening publication unless a ransom was paid. Both companies applied to the court for interim injunctions to restrain publication in breach of confidence. If the threat of publication is carried through by the attacker, such an order can be used to make online publishers (for example, Twitter, blogs, financial forums or document hosting sites) aware that what has been posted on their site by the hacker is confidential and has taken place in breach of a court order, procuring its removal (as happened in PML).
In some cases, it might be that a company is obliged to report a cyberattack to the market under the Listing Rules, which is then picked up and reported on by the media, as happened in Clarkson. If such a report is to be made, communications and media law advice should be taken prior to publication in order to prepare for any media follow up (with enquiries funnelled only to those authorised to brief journalists) and any further statements. Coverage should be monitored for any inaccuracies which require correcting. In such a case, taking public legal action will have little reputational down side, as details will be in the public domain already. However, it may be that a company which is a victim of blackmail can take action through the courts under the protection of anonymity, thereby potentially preventing it from being named in the media in any coverage of the court case (as happened in PML). See our article for more about this type of injunction.
As civil actions in cyberattack cases often run parallel to criminal investigations by the Police, it is important that companies are aware of the fact that details about such cases and their staff involved may come into the public domain as a result of any Police press release, or via any criminal case brought against a hacker. Information disclosed via public court proceedings, detaining of witnesses and what they say, will be reportable by the media (under the protection of privilege, with regards to defamatory allegations aired in court). A company should therefore take advice before any disclosures (and before any court appearance by the defendant) on whether an application for reporting restrictions can be made and what it can cover to protect the privacy of those involved or confidential information belonging to the company.
Data subject rights and civil actions
The GDPR enhances and creates new rights for data subjects (customers, employees etc.) allowing them to better control the use of their data including, broadly, the right to be informed, not to be subject to certain kinds of profiling and rights of access, rectification, restriction, erasure, objection and portability. Failing to comply with these rights, on an individual or mass basis, has the potential to create adverse coverage which is damaging to a company's reputation or result in high-profile costly litigation.
There are a number of routes to the press for stories about alleged failures to comply with data subject rights:
- A data subject, having been informed by the company about a data breach, might take to social media (including the company's social media account) or news or blog sites to publish allegations. Advice should be taken on any direct response. Competitors, who might join in with making comments against the company to a potentially vast number of their online followers, should be put on notice if publishing falsities.
- If a number of disgruntled data subjects take to social media to make allegations, it could become visible to the news or broadcast media who might follow up with them in order to prepare a story or news programme. They might then approach the company for comment (see above).
- A disgruntled data subject might opt to issue proceedings against a company which fails to comply with his or her rights. If that action is defended, it would enable the media to obtain documents containing potentially defamatory allegations about the company filed at court, the fair and accurate reporting of which is protected by privilege. Alternatively, a data subject might complain to the regulator (see below).
- A court case which goes to trial will allow the media to report on the progress of the trial (potentially creating days of prolonged and damaging media coverage, as well as stories about the witnesses, their evidence and backgrounds, court appearances and cross examination) and will result in a public judgment in favour or against the company.
Post GDPR, actions brought collectively by a large number of data subjects, whose rights have been breached by a company, via Group Litigation Orders, are likely to increase. This is because the cost of such litigation can be pooled and evidence, knowledge and litigation risk shared. The recent case of Various Claimants v WM Morrisons Supermarket PLC (and its appeal) is a prime example (which followed the criminal trial of an employee involved in unlawfully processing the employee data concerned). In this case, 5,518 employees/former employees sued for breach of the Data Protection Act 1998, as well as misuse of private information and breach of confidence. The Judge held that Morrisons was vicariously liable for the actions of its employee. The Court of Appeal upheld the decision on appeal. This decision can only widen the risk for corporate data controllers post GDPR, subject to the specific facts of the case.
A civil claim for damages by, for example, 10,000 data subjects for £1,000 each could, if successful, have a major financial impact (in terms of costs and damages pay outs) as well as a reputational one. Companies should approach and manage data litigation (as with any public litigation) carefully and obtain appropriate specialist advice as this will help manage corporate reputation.
Regulatory access can also have a damaging impact on a company's reputation. Under the GDPR, data controllers are required to report a data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects. If a notification is made after the 72 hour period has expired, the data controller must explain the reasons for the delay. It has been suggested that the point at which the data controller becomes aware of a breach is when the controller has a reasonable degree of certainty that a security incident leading to a personal data breach has taken place. This means there may be a short period of investigation during which the controller is not regarded as being aware and before the clock starts ticking. It is during this period that a company should be establishing the facts and details of the breach (which can take time) and taking advice on protecting its reputation. This is particularly so as it is possible that the Regulator will publish a statement confirming the fact of such a report and details of the breach.
Where a data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller must communicate the breach to the data subject without undue delay – which means as soon as possible – or they may be required to do so later by the relevant authority. Although this is a higher threshold to meet than the one requiring a report to an authority, once a breach is reported to data subjects, the fact of the breach and its details have arguably entered the public domain. It is also more likely that the breach will come to the attention of the media (as sourced by an angry data subject), triggering enquiries from a journalist (as discussed above). Notification decisions are, therefore, very important to protecting corporate reputation after a breach and advice should be taken on whether any of the exemptions to notifying data subjects apply:
- Have technical and organisational measures been applied to the personal data which will render it unintelligible to unauthorised persons (such as encryption)?
- Has the controller taken steps to ensure the original high risk is no longer likely to materialise?
- Would notifying each data subject involve disproportionate effort (in which case a general notification rather than one to each data subject may be made)?
Moreover, if the relevant authority commences a regulatory investigation into allegations that the company has breached data protection law, it is likely that a decision of that authority will be published at some point following the conclusion of the investigation, including details of failures and any sanctions levied. The publication of such decisions, or of an official press release summarising the details (including potentially defamatory allegations), findings and sanctions, will be reportable by the media.
Therefore, it is very important that a company obtains specialist representation when engaging with an authority investigating a company's alleged breaches of data protection law. Even better still, a company should take legal advice on compliance issues and obligations and technical advice on security arrangements to be able to prevent rather than cure a data breach.