A record £183m fine is to be levied by the Information Commissioner’s Office (ICO) against British Airways for a data breach resulting in the theft of personal data of half a million of its customers. The airline has expressed ‘surprise and disappointment’ at the news; perhaps an understatement given that the previous record fine of £500,000 seems almost negligible in comparison!
Unfortunately these types of hacks are becoming more common, with a similar attack against Ticketmaster reported in June 2018 and another hefty fine (£99m) announced earlier this month against the Marriott International hotel group. Organisations will likely be taking a closer look than ever before at their cybersecurity and considering any weaknesses in their systems and processes.
What does this have to do with outsourcing arrangements?
Many outsourcing arrangements will involve a service provider processing personal data on its customer’s behalf.
As processors within the UK are now subject to direct statutory obligations under the Data Protection Act 2018 (DPA), and directly liable for fines from the ICO, service providers are likely to be troubled by the potential level of these fines and will be considering any liability which may arise through the outsourcing services which they provide to their customers.
In this article we consider how the changes introduced by the GDPR and the DPA might affect service providers, and how these providers may now find themselves ‘on the hook’ for a data breach. We also look at the key points service providers should watch out for in their contractual arrangements.
The British Airways data breach, which began in June 2018 and was notified to the ICO in September 2018, involved the theft of customers’ name, address and email address, log in details, payment card details, and travel booking details after hackers intercepted the airline’s website and mobile app. The details of the hack are still not clear, although a report published by cyber security firm RiskIQ does provide some insight as to what may have happened. The theory is that the hack involved the alteration of one of the codes on British Airways’ website in order to capture the data entered by customers and send it on to a database controlled by the hackers. It is thought that the data was captured at the moment the customer checked out (as CVV numbers, which are not permitted to be stored beyond the point of purchase, were included within the compromised data). The ICO has stated that its investigations found “poor security arrangements” on British Airways’ part.
The GDPR and data security
The DPA, which came into force on 25 May 2018 implementing the GDPR, governs the processing and storage of data and replaces the Data Protection Act 1998 in the UK. The GDPR gives supervisory authorities (the ICO in the UK) the power to fine or take other enforcement action against organisations for data breaches. Whereas under the 1998 legislation the maximum fine was £500,000, the maximum fine under the GDPR is considerably more, at the higher of €20m or 4% of annual global turnover.
Data security is an integral principle of the GDPR, with organisations required to process personal data “in a manner that ensures appropriate security of the personal data… using appropriate technical or organisational measures.” There is no ‘one size fits all’ approach to what is deemed appropriate, and organisations are required to implement security measures which are appropriate to the risk presented by the processing they are carrying out.
Perhaps in recognition that this is in fact rather vague, the National Cyber Security Centre has (jointly with the ICO) published guidance which sets out a set of security ‘outcomes’ that are considered to represent appropriate measures under the GDPR.
What does this mean for providers of outsourced services?
A number of changes introduced by the GDPR will directly affect service providers in their capacity as processors, including:
- Controllers (customers) must now have a written agreement in place with all of its data processors;
- Certain mandatory terms are imposed into these contracts by Article 28(3), including the right for the controller to audit a processor to check its compliance, and an obligation for the processor to assist the controller (which includes assisting in the response to any individual requests and acting promptly in the event of a breach);
- Processors are now subject to direct compliance obligations;
- Processors are now subject to direct enforcement by ICO; and
- Processors can now be subject to compensation claims by individuals.
As with the Ticketmaster breach detected back in June 2018 (which was found to be the result of a hack not against Ticketmaster itself, but against a sub-contractor), it is entirely possible for a customer’s data breach to occur as the result of a hack against, or system weaknesses of, a provider within its supply chain. Under the old legislation controllers would be liable for any ICO fine resulting from such a breach; the GDPR however has introduced the ability for the ICO to issue fines directly against processors.
Contractual liability is another area in which we are seeing considerable change (especially given the level of ICO fines coming through), in that customers often expect providers to accept unlimited liability for data breaches within their processing contracts. Where a breach has occurred because the provider has breached one or more of its contractual obligations to its customer (including those imposed into the contract by Article 28(3)), the customer can pursue the provider for its losses by way of a damages claim. Customers may also insist upon the inclusion of indemnities within the contract (i.e. a promise by one party to pay money to the other party on the occurrence of a specified event). These may again be unlimited. Providers should also be aware that a customer will often include a data protection breach as a trigger point for its ability to terminate the contract, often without notice or compensation.
This is very much an area for negotiation as, equally, a service provider may be able to insist upon mutual unlimited liability or a mutual liability cap which would give some protection against a data breach by the customer, or for a standalone liability cap solely in relation to data breaches. At the very least a service provider might insist on an obligation upon the customer to have obtained all necessary consents before providing the service provider with the data to be processed.
Providers therefore need to carefully consider their liability under the contract, and seek advice on any attempts by a customer to restrict or exclude its liability, and in respect of any indemnities sought.
Checklist for providers
Below is a list of pointers which providers of outsourced services may wish to consider in respect of its outsourcing arrangements (both existing and new):
- Consider whether any personal data is being processed under the arrangement.
- Consider the level of each party’s liability within the agreement. Does data protection fall outside of any liability cap? Is there a separate (higher) cap for data protection?
- Consider whether any indemnities are being granted under the agreement. Is there a separate (higher) indemnity for data protection?
- Question whether your security and organisational measures have been reviewed and approved by the controller.
- Check whether you have a cyber-insurance policy in place. Does your level of potential liability accord with the level of your insurance?