According to a survey published this month by the British Chambers of Commerce one in five British businesses has been hacked by cyber criminals in the past year. The survey follows statistics released last year which estimated that cyber security incidents cost UK industry £34.1bn in 2016.
There have of course been a number of examples of companies being hacked over the past few years, none more high profile than TalkTalk. In October 2016 it was issued with a record £400,000 fine by the Information Commissioner's Office (ICO) for security failings that allowed a 16 year old to access customer data "with ease". The ICO found that a cyber-attack that took place between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk's system which resulted in the attacker accessing the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort code.
It is important to remember, however, that you don't have to be a big company – such as TalkTalk – to experience a big data breach. Small and medium-sized companies are just at risk. It is also often the case that data security breaches derive in some way from the conduct (whether intentional or inadvertent) of those employed by an organisation or contracted to provide services to it.
Defining the threat
An "insider threat" comes from the possible actions of an employee, contractor or other third party with authorised access to information which risks that information being compromised in some way. This may involve activities that are variously intentional, negligent or simply inadvertent.
It can include, for instance, a disgruntled employee acting with malicious intent. In the case of the supermarket chain Morrisons an ex-employee said to be harbouring a grudge against the company posted on the internet the bank, salary and National Insurance details of almost 100,000 members of staff. 5,000 employees are now suing for damages.
Other examples, which affect businesses can range from the employee who inadvertently leaves confidential documents in a public place (e.g. a laptop on a train) to those who click on a phishing email or are deceived by "bogus boss" email scams (where emails are sent purporting to be from a senior staff member's account requesting information or a transfer of funds).
Preventing the threat
There are various legal, technical and practical steps that all organisations should be taking to protect the security of their information.
A key element is compliance with the legal obligation imposed by the Data Protection Act 1998 (DPA) and, as of May 2018 the General Data Protection Regulation (GDPR), to take appropriate technical and organisational measures to keep personal data secure. On a more general level, it involves education, due diligence and crisis planning.
The following are some key considerations that organisations of all sizes should take into account for the purposes of protecting their data:
- Data security is an issue that is no longer solely the domain of the IT team. A member of the Board should have direct responsibility. The experience of organisations such as TalkTalk and Morrisons underlines the severe consequences (both reputational and financial) that can result from a breach. And the GDPR increases the stakes, with organisations being subject to potential fines of up to 20 million Euros or 4% of "total worldwide annual turnover of the preceding financial year, whichever is higher". The present maximum fine that the ICO can impose for a data breach is £500,000.
- Proportionate due diligence should be conducted on employees and contractors. Contracts of employment and agreements entered into with third parties should also contain confidentiality requirements where appropriate, along with specific provisions relating to cyber security and data protection.
- The technical strength of the organisation's systems should be regularly updated and tested. The repercussions for failing to scan properly for vulnerabilities can be severe. Allied to this, organisations should consider whether it is proportionate to conduct cyber and other monitoring which might help to identify abnormal usage or behavioural trends in the workforce.
- Organisations should prepare crisis management plans for a data breach and/or cyber attack. The plan should include key points of contact whether inside the organisation or external legal, communications or cyber experts. While it is virtually impossible to plan for every eventuality, organisations should (if viable) carry out scenario simulations (involving external advisers) to ensure that they are as prepared as possible.
- Regular internal training sessions should be held highlighting the risks of information security breaches and how to avoid them.
These measures are not exhaustive and they may not all be appropriate or proportionate for every organisation, particularly smaller businesses where some of the steps listed may simply not be practical. Nevertheless, they should be considered both from a generic risk management perspective and in so far as compliance with the DPA and GDPR (as well as any other applicable regulatory framework) is concerned. As noted above, the GDPR increases the stakes, both in terms of the level of fines that can be levied but also because the overall compliance burden for data controllers is enlarged significantly by the legislation.
Responding to the threat
An organisation's response to an information security breach should involve a number of strands, ranging from complying with any notification requirements to reputation management. Again, it is helpful to highlight some key considerations:
(a) Speed and efficiency is vital. This involves identifying as quickly as possible what exactly has happened. The organisation's crisis management plan should be put into action and thought should be given to instructing the relevant external advisors (legal, technical and communications) to provide advice.
(b) Notification requirements should be complied with. Under the present DPA framework, there is no legal obligation to report security breaches involving personal data. However the position will change under the GDPR which will require companies to report breaches to the ICO within 72 hours of becoming aware. A failure to notify or an inadequate notification is likely to increase the level of any eventual fine.
(c) Notification is not restricted to the regulator. Individuals (whether employees or clients) affected by the breach may also need to be notified and due consideration should be given to the method and content of any such notification. In the Morrisons example referred to above, the supermarket chain was justifiably criticised by employees for using Facebook to notify them that their personal data had been published online.
(d) Where customer information has been lost, everything possible should be done to restore confidence and minimise the damage. This includes a clear communications strategy, as well as analysis of possible legal action (including injunctive relief) to prevent disclosure (or further disclosure) of the information.
(e) As noted above, steps should be taken to identify the person(s) responsible for the breach and, if it is an employee, employment law advice should be sought to decide what measures should be taken. Also is there a need to report the matter to the police?
The extent of the financial and reputational damage caused by a data breach can be difficult to quantify. In the Talk Talk case it is said the total bill was in excess of £60 million. Whilst most businesses will not face data breaches on that scale a failure to prepare could still have catastrophic consequences particularly when the GDPR is implemented next year. Organisations are sometimes understandably reluctant to incur time and cost pre-empting a situation they have not encountered. However, the reality is that the number of those affected by information data breaches is increasing. This is a case of when, not if and the time to prepare is now.
If you require further information on anything covered in this briefing please contact Michael Patrick(firstname.lastname@example.org) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2017