The number of cyberattacks reported by firms to the FCA in 2017 grew to 49 compared with five in 2014. The increasing prevalence of cyberattacks has been demonstrated in recent months by a raft of large companies getting themselves into hot water over matters of data security.
In November, the Chief Executive of Uber announced that the company had experienced a massive data breach in 2016, resulting in the theft of information concerning about 57million users and drivers worldwide. Upon discovering the breach, Uber did not inform users or regulators. Instead, Uber’s Senior Executives decided to pay a ransom of $100,000 to delete the stolen data. That decision is now the subject of investigation in the US, UK and Italy.
Google are facing a collective lawsuit in the UK alleging that it illegally gathered the personal data of millions of UK iPhone users by bypassing the default privacy settings on phones to enable it to track the users’ online behaviour.
The High Court also held in November that the supermarket chain Wm Morrison was vicariously liable to its employees in a claim for damages. The claim arises out of the actions of a disgruntled worker who leaked the names, addresses, bank account details and salaries of almost 100,000 former and current Morrisons employees online.
The security of personal data is coming under increasing scrutiny as modern businesses seek to exploit the huge technical and financial opportunities available to those who are able to collect and process such information. However, these cases demonstrate the complex legal problems faced by companies.
Aside from civil claims for damages, what regulatory and criminal liabilities might the likes of Uber and Google face in the UK?
The Data Protection Act 1998 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003/2426 (“PECR”) impose a number of duties (or “principles”) on companies and individuals who hold personal data (“data controllers”).
Personal data includes any information capable of identifying a living individual either on its own or when considered alongside any other information which is in the possession of, or is likely to come into the possession of, the data controller. It includes an expression of opinion about an individual.
The duties imposed on data controllers include the duty to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Power to impose a monetary penalty
Breaches of the DPA and of the PECR are enforced by the Information Commissioner’s Office (ICO). The ICO works with other regulators, including the FCA, where, because of the nature of the industry within which the data breach occurred, there is an overlap in regulatory oversight.
Where there has been a serious contravention of the principles of the DPA and that contravention was of a kind likely to cause substantial damage or substantial distress, the ICO may impose a monetary penalty on a data controller. Such a penalty can be imposed if the ICO is satisfied that the contravention was deliberate or if the data controller ought to have known that there was a risk the contravention would occur and failed to take reasonable steps to prevent it.
The maximum monetary penalty is £500,000 and the largest single penalty imposed to date was £400,000 against TalkTalk in October 2016. This was imposed after hackers took advantage of technical weaknesses in TalkTalk’s systems to access the personal data of 156,000 customers. When imposing this record fine the Information Commissioner, Elizabeth Denham, said that it “…acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
The maximum penalty is set to increase significantly when the General Data Protection Regulation comes into force in May 2018. After May, the maximum fine will be the greater of 20 million euros or 4% of the company's annual worldwide turnover.
The PECR also imposes an obligation on a service provider to notify the ICO without delay when a personal data breach occurs. If the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider is also required to notify the subscriber or user. If the service provider fails to comply with this notification requirement, the ICO may currently issue a fixed monetary penalty of £1,000. However, when the General Data Protection Regulation comes into force the maximum fine will be increased to the greater of 10 million euros or 2% of the company's annual worldwide turnover. This is likely to greatly reduce the attractiveness for any company in following Uber’s example in responding to a data breach after May 2018.
These financial penalties can be imposed in circumstances where a company has not in any way been complicit in the release of personal data. All that is required is an omission on the part of the company to take adequate steps to protect personal data or to report a data beach when it has happened. The total value of financial penalties which may be imposed in these circumstances looks set to increase considerably in the first half of 2018, thereby raising the stakes considerably for companies to ensure that they have robust systems in place to prevent and report data breaches.
The criminal offences
In addition to the powers of regulators to impose financial penalties, companies, their directors and officers may also commit criminal offences as a result of the way in which they obtain and/or disclose personal data. Depending on the circumstances, a range of offences may potentially apply. The following offences are most readily applicable.
It is an offence, contrary to Section 55 of the DPA, to knowingly or recklessly obtain or disclose, or to procure the obtaining or disclosing, of personal data without the consent of the data controller. It is likely that some of the information concerning internet usage by iPhone users obtained by Google would be capable of identifying those users and would therefore fall within the definition of “personal data”. On this basis, the offence is likely to be engaged in that case. However, Google would have a defence if it could show that it reasonably believed it had the right in law to obtain this information, or that the data controller (depending on the circumstances that may be iPhone users themselves or the company storing their information) would have consented to them accessing it had they known about it. If that belief is based upon a contractual term Google has in place with its users then such a belief may be easily established. If not, such a defence would be much more complicated and likely reliant on circumstantial evidence.
Section 2 of the Computer Misuse Act 1990 (“CMA”) creates a further offence of unauthorised access to computer material. The offence is not limited to accessing personal data. It is committed where a person causes a computer to perform a function intending thereby to secure access to any data held on a computer. The access to the data must be unauthorised and the person seeking to secure access must know that. There is no defence of a reasonable belief that consent would have been given as there is with the DPA offence. This offence therefore has the effect of criminalising a much broader range of conduct than the DPA offence.
Although the ICO continues to lobby for the section 55 offence to be punishable with prison sentences it remains, for the time being, punishable by a fine only (albeit there is no limit to the value of that fine) whereas the CMA offence is punishable by a maximum prison sentence of 5 years and/or an unlimited fine.
These offences have the effect of criminalising the conduct of those who seek to obtain personal data and are therefore engaged with respect to the actions of Google and the hackers who obtained the information from Uber and Morrisons. The offences will not to apply to companies who have simply omitted to take steps to keep information secure. However, if the ICO is satisfied that a data controller has contravened any of the data protection principles in the DPA it may serve an enforcement notice requiring that data controller to comply with the principles within a specified period of time. Failure to comply with an enforcement notice is a criminal offence pursuant to section 47 of the DPA, punishable by a fine. Failure by a company to take appropriate technical and organisational measures in order to keep data, including personal data, secure is unlikely therefore to result in the commission of a criminal offence unless it is a result of a failure to comply with an enforcement notice.
Companies, their directors and officers are exposed to a range of criminal and regulatory penalties as a result of the way in which they collect, process and disclose personal information. The recent problems experienced by large multinational companies demonstrate the complexity of the problems faced in an era of vast electronic data archives, rapidly evolving technology and increasingly sophisticated hackers. The increased financial penalties for failures to adequately protect personal data from accidental or criminal breaches of data security in particular significantly increases the pressure on companies to continue to regularly review, update and record the systems and procedures they have in place to process and secure information.