Data protection –and reducing your firm’s risks
Craig Kennedy, a lawyer in Dentons’ white collar and government investigations team, suggests strategies to avoid falling foul of GDPR regulation enforced last year
Scottish businesses spent a significant amount of time and effort in their quest to become compliant with General Data Protection Regulation (GDPR) in time for the new data protection regime being enforced from the summer of 2018. However, many failed to do much, if anything, to improve their cyber resilience in the lead-up to that significant change to the regulatory landscape.
A surprising number of organisations still have no formal cybersecurity incident management processes in place and with a reported 40 per cent of UK businesses experiencing a cyber security breach or attack in the last 12 months, now is the time to address cyber resilience.
The terms “cyber attack” and “data breach” are often thought to refer to two different types of corporate crisis. However, in most cases, it would be more accurate to think of cyber attacks as being the cause, with data breach being the effect. Many of the largest-ever data breaches have been the result of cyber attacks of varying degrees of sophistication.
The financial impact can be substantial, with organisations facing fines up to €20 million (£17.5m) or 4 per cent of its annual worldwide turnover – whichever amount is greater – for failing to safeguard personal data and confidential information under the terms of GDPR.
However, a recent ruling by the Court of Appeal in a case against supermarket Morrisons serves to introduce yet another head of liability that further increases the risks presented by data breaches.
In that case, a senior auditor deliberately leaked the personal data of around 100,000 employees online in what was claimed to be a malicious attack against his then-employer. The leaked data included names, addresses, bank account details and salaries of the individuals concerned.
The Court of Appeal held that Morrisons was vicariously liable for the actions of its employee with the result that it now faces paying out compensation to more than 5,000 claimants.
While it remains to be seen whether the decision will result in an opening of the floodgates to mass compensation claims and American-style corporate lawsuits where a business suffers a data breach, it would appear to be a significant step in that direction.
In its judgment, the Court of Appeal acknowledged that its decision to impose vicarious liability in respect of largescale data breaches may leave companies exposed to “a large number of claims… for potentially ruinous amounts”.
The ruling confirms that vicarious liability for a data breach can arise without any fault on the part of the employer, and in circumstances where the actions of the employee were expressly prohibited or even criminal.
Being found to be vicariously liable for a data breach could prove to be devastating for most businesses.
While the handling of personal data is essential to the operations of any organisation, a business would be well advised to ensure that no employee has unnecessarily
0 A reported 40 per cent of UK firms suffered a cyber security breach or attack in the last year
wide access to confidential data that could be exploited for nefarious purposes.
However, businesses can take steps to mitigate the risks surrounding data protection:
1. Review operational and cyber resilience. Many data breaches occur through cyber attacks. All organisations need to take steps to ensure that their networks and infrastructure are protected against both cyber and insider attacks. A costbenefit analysis should be undertaken to determine what steps are appropriate in the circumstances.
2. Prepare an incident response plan. Investment in establishing an effective incident response plan brings with it many benefits including improved resilience, a greater chance of achieving business continuity in the event of a data breach and a reduction in the financial impact of any incidents that do occur.
3. Build understanding and resilience at board level. Business leaders must take responsibility for developing and maintaining awareness of the risks surrounding data protection and implement suitable protection strategies.
4. Educate staff members on common data protection risks. It is important that staff members understand the various ways in which data can be compromised, with a view to improving detection and avoidance of potential threats. It is only by understanding what the risks are that steps can be taken to avoid them.
The old adage of “failing to prepare is preparing to fail” is particularly true as far as data breaches are concerned.
However, by taking these four simple steps, businesses can proactively reduce their prospects of suffering a data breach, and minimise their exposure to both regulatory penalties and claims arising from them.