We are at the start of understanding the extent of the financial liabilities in this area as cases such as the massive Yahoo breach work its way through the system. To get a sense of the scale of possible liabilities see the Yahoo class action suit.
The cynics might argue that the response of business directors and boards to the cyber threat falls into three main buckets:
- Do nothing and blame the IT people if there is a data breach (most common).
- Do something (get it minuted) and blame the IT people if there is a data breach.
- The experienced IT people persuade the directors / board to invest in a smart bit of kit that generates amazing graphics, goes ‘ping’ a lot and then blames the vendor of the kit, that looks good and goes ‘ping’, if it goes wrong. Job done and blame shifted nicely.
The scope of this post is to identify the potential legal pressure points that put liability directly onto the directors and board of a company for cyber breach and, therefore, progress the nature of the debate in this area.
Directors have always owed legal duties to companies of which they are directors. The Companies Act 2006 codified these into seven separate duties.
Two of the duties are particularly relevant, namely:
Section 172 - duty to promote the success of the company.
Section 174 - duty to exercise reasonable care, skill and diligence.
Under 174, in particular, the high profile nature of cyber risk is likely to make it necessary to meet the test of reasonableness, that proper care is taken to protect information.
Beyond the fairly general duties of the Companies Act we also have the Data Protection Act which is soon to become the GDPR. The Data Protection Act (and its eight core principles) is the key legislative framework in the cyber area and, with the new GDPR coming into force next year, the maximum fines are rocketing from a maximum of £500k to four per cent of turnover.
Section 61 of the DPA makes it clear that when an offence under the DPA has been committed and it can be attributable to the neglect of a director then ‘he, as well as the body corporate, shall be guilty of that offence’.
Potentially, therefore, could directors be liable for up to four per cent of the turnover of the companies they work for under the GDPR?
The ICO seems keen to ensure that data protection and its sub-set of cyber security become a mainstream board issue and, therefore, when the next TalkTalk happens it may well not be enough to point the figure at the IT people, say you can barely switch on a computer and rapidly exit stage left.
Directors of companies which process sensitive personal data (which includes CCTV) are going to need to take a much more robust approach to personal data management and cyber risk under the new GDPR regime to avoid finding themselves exposed personally.
Some simple steps to reduce liability for directors could include;
- Have a data protection officer who understands the risks and regulatory framework.
- Have a simple written data protection and cyber policy regularly communicated and updated.
- Insist on an independent digital audit to check for glaring weaknesses and vulnerabilities across all eight principles of the DPA - not just security.
- Ensure extra care is taken with any sensitive personal data.
- Independently audit your data supply chain / hosting providers.
- Don’t collect data you don’t need. You may be building a bigger liability than asset.