Charlotte Walker-Osborn, Partner and Head of Technology, Media and Telecoms Sector; Edward Norris, Commercial Associate; and Rebecca Sherry, Associate in the Privacy and Information Law Group, all of Eversheds LLP, look at some of the legal obligations which flow following a breach of IT security.

Suffering a security breach is a stressful and demanding time for any IT department and any business. The immediate concerns following a breach will revolve around how the company can contain the breach, identify the security weakness that has been exploited and also ascertain the scale of the breach and the potential damage to the company’s reputation.

All these matters absorb management time and resources. However, it is also important to consider the legal repercussions of a security breach, particularly as the clock can start ticking from the moment a breach is identified when it comes to a company’s reporting obligations.

The Data Protection Act 1998 (DPA) and the Privacy and Communications (EC Directive) Regulations 2003 (PECR) impose responsibilities, obligations and duties on a company that has suffered an IT breach which has compromised the security of its customers’ personal data. It is imperative to appreciate what steps should be taken to mitigate legal and reputational risk after an IT security failure.

Is the company required to disclose the breach?

The most important obligation is for companies to disclose all ‘serious data security breaches’ to the Information Commissioners Office (ICO), the UK’s privacy and information regulator. Specialist legal advice is often needed to:

(1) determine whether the breach is sufficiently ‘serious’ under the DPA and

(2) manage reporting obligations and the fallout from the breach - this is advisable whether considered ‘serious’ or not.

As a guide to analysing the seriousness of any breach, the ICO recommends that companies assess the likely detriment to the individuals affected by the breach (e.g. exposure to ID theft, information about their private lives etc.) as well as the sensitivity and volume of the data involved.

Where a company is a ‘telecoms or internet service provider’ under PECR (what this means in practice is complex, but is likely to include mobile phone network providers, wi-fi internet providers and potentially, even businesses which offer a public wi-fi network to customers (e.g. shopping centres)), it must notify the ICO within 24 hours of the breach being detected. Telecoms or internet service providers are also obliged to inform consumers of the breach if it is likely to cause them adverse harm.

A second sector of companies who should be aware of particular reporting obligations which apply to them are financial services providers. Companies operating in this field should be aware of the Financial Conduct Authority’s expectations for them to protect themselves and their customers against cyber threats and the punishments that can be imposed for a failure to meet these duties.

The Financial Conduct Authority has recently imposed fines of over £3 million on three banking companies for failing to ensure that they had adequate systems to protect their customer’s confidential details from being compromised.

The breaches identified by the Financial Conduct Authority included failing to ensure that confidential customer information was kept in locked cabinets rather than being left on open shelves and the sending of large amounts of unencrypted customer details by post, which resulted in two discs containing the details of over 180,000 policy holders being lost in the post. In the past, other firms to have been fined by the Financial Conduct Authority for similar information security breaches include Nationwide (£980,000), Norwich Union (£1,260,000) and Zurich Insurance (£2,275,000).

In addition to the risk of being fined, companies should also be aware of reputational damage caused by a failure to disclosure an IT security breach. Companies that disclose a security breach quickly and transparently to customers, insurers and the wider market can lessen the impact on their corporate image caused by a data breach.

Loss of data and the ICO

A security breach can take many forms but a common factor is the stealing of customer records and data by a hacker or hackers. Companies to have suffered such breaches in the past five years include Bank of Scotland, Sony, and Staysure Insurance. The ICO can impose fines of up to £500,000 for such security breaches, together with publicly sanctioning companies it finds to be in breach of the security obligations under the DPA, bringing consumer scrutiny and reputational damage.

Each of the companies named above were fined or are facing fines for the loss of sensitive data that was incurred as a result of the breach of their IT systems by hackers, or in a recent case involving a leading supermarket, a disgruntled employee. Examining each of the cases above gives an insight into the ICO’s approach and reasoning when deciding the appropriate penalties for breaches of the DPA and/or PECR in this way.

Following Staysure’s loss of the credit card details of 5,000 customers, the ICO fined the online travel insurance company £175,000 and publicly criticised its failure to update database software and its lack of a policy or procedures to review and update its IT systems - all factors that led to the relatively high fine imposed on the company.

The breach of Sony’s PlayStation Network Platform in 2011, which led to a range of customer personal data being exposed, warranted a fine of £250,000 from the ICO although this fine could potentially have been much larger if it were not for several mitigating factors in Sony’s defence which the ICO took into account, including the fact that Sony did have security measures in place, even if those measures were not sufficient in the ICO’s opinion, and that Sony had quickly informed customers about the attack and offered to compensate them.

Although it has the power to fine companies as a punishment for the breach of data protection legislation, the Information Commissioner does not have the right to award compensation to individuals who have suffered as a result of breach of data protection legislation. However individuals can initiate claims for unlimited damages in court where they feel a company has breached its obligation under the DPA and/or PECR.

Future plans

Companies should be aware that the penalties for breach of the data protection legislation, including loss of data in the manners discussed, are likely to be increasingly severe in the future as the draft Data Protection Regulation (the Regulation) progresses through the EU Legislative process.

The Regulation will be binding on all EU member states when it comes into force and will impact all organisations that process personal data. Whilst the Regulation is still in draft form (with the final form not expected to be agreed until the end of 2015/early 2016 and implementation in or around 2017/2018), it is currently proposed that companies in breach of data protection legislation will be subject to fines of up to between 2-5 per cent of their global annual turnover up to specified caps - depending on whether the Commission, Council or Parliament view holds out.

Another key element of the Regulation is a duty on companies to report data security breaches to the regulator ‘without undue delay’ and where feasible, within 72 hours of becoming aware of the breach, as well as a duty to inform the individuals affected. This will apply where the breach is likely to present a ‘high risk’ for the rights/freedoms of the affected individuals, e.g. financial loss, identity theft, discrimination.

Whilst there is ongoing negotiation about the trigger and timing for mandatory data security breach reporting, that it will become compulsory in some form is highly likely. The passing of the Regulation, with such high potential fines, will no doubt impel companies to review their data security measures and introduce ‘data protection by design’ models by implementing data protection safeguards at the outset of their projects to develop products and services.

What can you do?

The ICO regularly publishes guidance on data security breach management which sets out the regulator’s expectations of the IT security measures it expects from companies under the DPA. This guidance together with the ICO’s reports of cases where it has found companies guilty of failing to comply with data protection legislation provide illuminating guidance of the approach that companies are expected to take and what the ICO considers to be best practice.

Companies are expected not only to protect their personal data but also, as part of that, to maintain plans of how to deal with and respond to potential IT security breaches. They should adopt a proactive mindset, linking in with other crisis management protocols they may have and colleagues elsewhere in the organisation, such as legal, HR, and the PR/marketing team, to consider how they would be able to respond to breaches.

In these scenarios, the ICO and other regulators will look at the methods and procedures that they have used in order to maintain strong, effective and regularly updated defences against data loss and misuse.

This may include data management or protection policies that all staff handling personal data are aware of; appropriate record retention/destruction policies and processes; appropriate data categorisation; regular updating of IT security mechanisms and tools related to that categorisation; regular training and awareness raising; audits; and procedures and plans for dealing with IT security breaches so as to minimise loss from the breach.

© Copyright 2015 Eversheds LLP. Please note that the information provided above is for general information purposes only and should not be relied upon as a detailed legal source.