Recently, Tesco Bank became the latest household name embroiled in a cyber security crisis. Following the hack, the Bank quickly explained in a statement that "some of its customers' customer accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently". The exact nature of the attack has not been disclosed, due to the ongoing criminal investigation by the National Crime Agency. However, the Bank sought to reassure customers from the outset that those who had suffered financial loss would be refunded in full. It subsequently confirmed it had refunded £2.5m to 9,000 customers and apologised for the "worry and inconvenience" caused. In an unprecedented step for a UK bank, the Bank also temporarily stopped certain online transactions from current accounts.
There is clearly the potential for serious legal repercussions. Most obviously, those responsible for the fraud face criminal prosecution under the Fraud Act, and may also be guilty of offences under the Computer Misuse Act and possibly the Data Protection Act ("DPA") (although the bank has indicated no personal data was "compromised"). Despite the Bank's statement, it should still consider reporting the breach to the Information Commissioner (if has not done so already). The recent £400,000 record fine imposed on TalkTalk by the ICO underlines the possibility of enforcement action, and the ICO has been reported to be scrutinising the situation. It is not clear from the statement regarding personal data whether those responsible may have nevertheless had the opportunity to access personal data (such as account details), which could lead to questions around the Bank's compliance with the seventh data protection principle. This is the requirement to take appropriate technical and organisational measures against unauthorised processing of personal data. In TalkTalk's case, customer data was accessed through an attack on vulnerable webpages. TalkTalk was held to a high standard in light of its expertise and resources and the Bank is likely to face similar scrutiny. The Financial Conduct Authority is also said to be reviewing the situation.
Crisis planning and the all important response
Whatever the regulatory position, the first vital challenge following a cyber attack is the organisation's immediate response, both public and internal. In light of the increasing prevalence of cyber attacks, all corporates (not just large organisations such as Tesco Banks and TalkTalk) are well advised to have a specific crisis management plan that deals with the prospect of a data breach.
Communications advisers, lawyers and IT specialists are all important stakeholders in any such plan, which should address the following issues and the individuals responsible for them:
a) finding out the nature and scale of the breach as quickly as possible;
b) working with the Police;
c) taking steps to shut down ongoing risks;
d) communicating the breach to customers, clients, employees and others affected in an effective and sensitive way;
e) preparing public statements that explain what has happened and the steps being taken to remedy the issue, subject to any investigation restrictions imposed by the authorities;
f) responding to media enquiries;
g) complying with any reporting requirements (e.g. to the ICO); and
h) taking any necessary legal action against those responsible for the breach.
The prevalence of such data breaches also means that organisations should regularly review and, where appropriate, stress test their test crisis management plans. This might include taking part in a simulation of the plan to prepare the organisation for the inevitable hack. Companies that respond quickly and effectively to crises can mitigate the potential for significant and costly harm. It is said that TalkTalk's hack cost the business in excess of £60 million. There should also be consideration of whether the purchase of cyber insurance is appropriate. Finally, and perhaps most importantly, company directors must now understand that IT security cannot simply be dismissed as an area that is the domain of those with specific technical expertise. Instead it should be consistently reviewed at board level to ensure that the risks of breach (and the ensuing reputational consequences) are minimised as much as possible.
How did Tesco Bank do?
In the Bank's case, while reputational damage will inevitably have been caused by the very public reporting of the compromising of customer accounts, the initial response was efficient and clear. As noted above, a statement was published on the homepage of the Bank's website shortly after it became aware of the breach and a timeframe for refunding customers was set out, which it appears to have met. The Bank had also sent texts to customers in the wake of the unusual activity in order to ensure that they were aware of the situation as early as possible. As a result, customer criticism appears to have been kept to a minimum for now, although there have been suggestions in the press that the Bank had previously been warned about potential weaknesses in its system. Whether that is correct remains be seen.
Putting that issue to one side, the immediate steps taken by the Bank after it became aware of the breach conveyed a decisive message that it was in control and responding in the best interests of customers. Contrast for instance the situation at TalkTalk when the CEO was criticised in the wake of the attack on the company for apparently being unable to answer fundamental questions about what had happened (including the number of customers affected and whether or not data was encrypted). It is obvious that the Bank had a crisis plan which it put into place efficiently, but reports have emerged suggesting it ignored warnings about weaknesses to its cyber systems. It remains to be seen whether the Bank can continue to control the damage to its reputation as the legal position regarding its own liability becomes clear. It will also provide another interesting case for the ICO to assess the appropriate fine to levy, if indeed it decides there has been a breach of the DPA.
If you require further information on anything covered in this briefing please contact Thomas Rudkin (firstname.lastname@example.org ; 020 3375 7586), Henry Sainty (email@example.com ; 020 3375 7424) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Brand & Reputation management and Data Protection pages on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2016