Information loss is an ever-present risk for all organisations in today's world. Experience suggests that there is a fundamental and widespread lack of preparation for this risk. However, a change in regulation in 2018, requiring far greater preparation and a much more ordered response to an information security breach means preparation is all the more necessary. While the external risks need to be guarded against, the greatest risk is from within. Are you ready?
The National Crime Agency (NCA) in its 2016 cyber-crime assessment outlined the "real and immediate threat" of cyber-crime to the UK. While the NCA and the newly formed National Cyber Security Centre's focus may be on the threat that exists from outside business, approximately 85% of all data breaches are caused by acts or omissions from within an organisation. This demonstrates clearly that while care needs to be taken in respect of external threats, numerically the insider threat poses the greatest risk.
Possibly without exception, businesses today process a significant amount of personal, often sensitive, data belonging to individuals. This may relate to staff, but it can equally easily relate to customer and client information, some of it capable of being highly sensitive information. Since the introduction of the Data Protection Act 1998, organisations have been obliged to take proportionate technical and organisational measures to minimise the risk of data breaches.
However, with the advent in May 2018 of the General Data Protection Regulation ("GDPR"), which will regulate data controllers' future processing of personal data, the financial risk arising from a breach is about to rise, quite possibly exponentially.
To date, the Information Commissioner's Office (ICO) has had the power to hand out fines of up to £500,000. From 25 May 2018, the fines rise to up to 4% of the organisation's global turnover or Euros 20m, whichever is thought the most appropriate. GDPR is also going to make it easier for victims to bring compensation claims in respect of breaches. As has been emerging in the last couple of years, data breaches are coming out of the back waters. They are going to be front and centre for organisations and individuals alike.
Royal & Sun Alliance, Morrisons, the London Borough of Ealing and Three Mobile provide an example of the range of organisations that have all been the subject of serious information breaches resulting in the loss of personal data and other confidential information. In the case of RSA, the Information Commissioner's Office ("ICO") imposed a £150,000 fine in January 2017 after a member of staff or contractor stole a hard drive device containing the personal information of nearly 60,000 customers. Meanwhile, in November 2016, the ICO formally warned Ealing Council after a social worker left highly sensitive Court documents on the roof of her car.
As the cases of TalkTalk and the Panama Papers leak from the law firm Mossack Fonseca demonstrate, security breaches have the potential to cause catastrophic financial and reputational damage.
While it is all but impossible to eliminate entirely the risk of unlawful access and theft of data from outside, it is often the case that information security breaches derive in some way from the conduct (whether intentional or inadvertent) of those employed by the organisation or contracted to provide services to it. There are a number of legal, technical and practical steps that organisations should be taking now to mitigate these issues.
Defining the threat
The so-called "insider threat" or "threat from within" occurs where the actions of an employee, contractor or other third party with access to information, cause that information to be compromised in some way. This may involve activities that are variously intentional, negligent or simply inadvertent. It includes, for instance, a disgruntled employee acting with malicious intent, as in the case of Morrisons where an ex-employee published details of around 100,000 members of staff on the internet in 2014. The individual in question was said to have harboured a grudge after being accused of dealing legal highs at work.
Alternatively, in its broadest sense, the threat may arise from more generic failings in the organisation's cyber security, for which its employees (or contractors) are responsible. This was the case when TalkTalk was fined £400,000 by the ICO in October 2016, after the company failed to scan for vulnerabilities in webpages that enabled access to a customer database. The software for the database was itself outdated and affected by a bug allowing attackers to bypass access restrictions.
There are a number of different scenarios which sit in between these two examples, ranging from the employee who inadvertently leaves confidential documents in a public place to those who click on a link in a phishing email or are deceived by "bogus boss" email scams (where emails are sent purporting to be from a senior staff member's account requesting information or a transfer of funds).
Preventing the threat
An organisation's approach to maintaining the security of its information should be holistic and proportionate to the risk faced by the organisation. The level of technical and organisational measures required by a financial institution or medical centre should be far greater than that expected of a small business with limited staff and customer data. Certainly, for larger organisations or those that process a considerable amount of personal data, especially if it is sensitive in nature, proportionate measures will involve education, tight technical measures, due diligence and crisis planning.
While it would seem some industries such as banking are well organised, experience suggests that there is a widespread failure to put in place the necessary proportionate measures to meet the level of risk and/or consequences of a data breach. Given the extent of the fine alone that is likely to be imposed when insufficient measures have been put in place to reduce the risk of a breach, never mind the potential loss of business and reputation harm flowing from a breach, organisations need to work expeditiously between now and May 2018 to build a much more robust response to a data breach, including from within.
The following are some key considerations that all organisations would be well advised to take into account for the purposes of maintaining information security:
First and perhaps foremost, this is not an issue to delegate to the IT team. A member of the Board should have direct responsibility. The experience of organisations such as TalkTalk, RSA and Yahoo underlines the severe consequences (both reputational and financial) that can result from a breach. This should be a Board matter, with proper leadership and structure in place. The IT team have a role to play in protection and responding, but they are not to lead.
Organisations should consider appointing an Information Security Officer and/or an entire information security team if large enough. Under the GDPR, certain organisations will also be under an obligation to appoint a Data Protection Officer.
The organisation's risk management approach should include information security as one of its keystones.
Organisations should prepare crisis management plans for a data breach and/or cyber-attack. Any such plan should include key points of contact (whether inside the organisation or external legal, communications or cyber experts) and, in particular, factor in proposed methods for preventing further leaks and identifying the source of the leak. While it is virtually impossible to plan for the eventuality of a specific crisis, organisations should (if viable) carry out scenario simulations (involving external advisers) to ensure that they are as prepared as possible.
The technical strength of the organisation's systems should be regularly updated and tested. As the TalkTalk example above demonstrates, the repercussions for failing to scan properly for vulnerabilities can be severe. Allied to this, organisations should consider whether it is proportionate to conduct cyber and other monitoring which might help to identify abnormal usage or behaviour trends in the workforce. The privacy rights of individuals are a balancing factor here, meaning it is advisable that any monitoring rights an organisation wants to retain over an individual should be built into employment contracts and deployed proportionately.
Appropriate and proportionate due diligence should be conducted on employees and contractors.
Contracts of employment and agreements entered into with third parties should contain confidentiality requirements, along with specific provisions relating to cyber security and data protection.
Regular internal training sessions should be held highlighting the risks of information security breaches and how to avoid them.
Organisations should also consider appropriate insurance since it is possible to find insurance cover to meet a considerable portion of the loss, depending on the level of cover. However, insurance does not normally include meeting any fines.
These measures are not exhaustive and they may not all be appropriate or proportionate for every organisation, particularly smaller ones where some of the steps listed may simply not be practical. Nevertheless, they should be considered both from a generic risk management perspective and in so far as compliance with the DPA and GDPR (as well as any other applicable regulatory framework) is concerned. As noted above, the GDPR increases the stakes, both in terms of the level of fines that can be levied but also because the overall compliance burden for data controllers is enlarged significantly by the legislation.
Responding to the threat in action
An organisation's response to an information security breach necessarily involves a number of strands, ranging from complying with any notification requirements to reputation management. Again, it is helpful to highlight some key considerations:
(a) Needless to say, speed and efficiency is vital. The organisation's crisis management plan (CMP) should be put into action and the relevant external personnel brought in to provide advice.
(b) As a very early step, executing the CMP involves identifying as quickly as possible the factual context to the breach, the nature and scale of information lost and the likely cause. This should involve bringing in the appropriate external technical expertise who can identify where the breaches have taken place, establish how best to look to prevent further breaches and search for evidence to be used in civil, regulatory and possibly criminal proceedings. None of these steps should be conducted by the IT team. They will have enough to do in any event and they will not be able to conduct the necessary investigation to the required evidential standard.
(c) Notification requirements should be complied with. Under the present DPA framework, there is no legal obligation to report security breaches involving personal data, but the ICO has issued guidance stating that "serious breaches" should be notified. However, good practice dictates that the majority of breaches should be reported. This is the case not least because Article 31 of the GDPR states that any personal data breach should be reported within 72 hours (where feasible) of the organisation having become aware of it, unless it is unlikely to result in a risk for the rights and freedoms of individuals. Such rights will inevitably include the privacy rights of those affected, but ordinarily notification will not need to risk harming the rights of individuals. Notification obligations prescribed by other regulators (such as the FCA) should also be complied with. A failure to notify or an inadequate notification is likely to increase the level of any eventual fine.
(d) Notification is not restricted to the regulators. Individuals (whether employees or clients) affected by the breach should also be notified and due consideration should be given to the method and content of any such notification. In the Morrisons example referred to above, the supermarket chain was criticised by employees for using Facebook to notify them that their personal data had been published online. Sports Direct faced similar criticism for failing to inform staff that their data had been lost after a breach in September 2016.
(e) Where client information has been lost, everything possible should be done to restore confidence and minimise the damage. This includes a clear communications strategy (see below), as well as expeditious analysis of possible legal action (including injunctive relief) to prevent disclosure (or further disclosure) of the information.
(f) Steps should be taken as soon as possible to understand the nature of the breach in order to limit the harm caused and to prevent further breaches. This could include identifying the person(s) responsible for the breach and, if it is an employee, employment law advice should be sought to decide what measures should be taken.
(g) Whether and/or when to consult with law enforcement should also be considered. There can be a loss of control once matters are handed-over to the authorities, which may not be to the advantage of the organisation or the victims.
Finally, but far from least, a communications strategy should be a key part of the CMP, recognising that there is likely to be a range of stakeholders in the business with whom it will be necessary to communicate at the appropriate time. Of course, any communications strategy is only as good as the information that an organisation has been able to obtain about the breach; TalkTalk's CEO Dido Harding was criticised after an interview in which it became clear that she had a limited grasp of the organisation's information security and seemed not to know how much data had been lost or whether it was encrypted.
The extent of financial and reputational damage arising from an organisation's failings in information security is difficult to quantify. Much of this will depend on the extent to which clients/customers value data security, the nature of the breach and the response to it. What is certain is that this is an issue that organisations need to be ready for.
More than in most other matters, a failure to prepare will seriously exacerbate the consequences. This is all the more so as, when the GDPR regime comes into force, it will mean the adequacy of the steps taken to prepare for a breach, and the response, will be closely measured by the ICO. Crucial to this preparation is a collaborative approach between those within an organisation and external teams of advisors.
While organisations are understandably sometimes reluctant to incur time and cost pre-empting a situation they have not encountered, the reality is that the proportion of those affected by information security breaches is ever increasing and organisations that do not prepare will find responding to the crisis that much more difficult and will face substantially greater consequences, including financial penalties, for not doing so.
No organisation can ignore this threat. It is a "real and immediate" danger both very much from within and also externally. It is a case of when, not if and the time to prepare is now.
If you require further information on anything covered in this briefing please contact Julian Pike(firstname.lastname@example.org), Tom Rudkin (email@example.com) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, April 2017
 A "data controller" is defined in section 1 of the DPA as a legal person (whether an individual or an organisation) "who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed". The definition set out in Article 4(5) of the GDPR is materially the same.