NEW data protection regulation to replace the current EU directive EU/95/46/EC is due to come into play within the next few years, bringing with it wide-reaching implications for businesses in the way they process personal information.
The regulation aims to improve data security and encourage business leaders to be more vigilant when dealing with sensitive data. It will give regulatory authorities, particularly the information commissioner, additional powers to impose severe penalties on businesses, including third parties, and prosecute company officials in the event of a breach in data security.
At a company level, the regulators will have the authority to impose a fine of up to 5% of the firm’s global turnover following a breach, whereas personal liability for a breach could incur a maximum fine of €1m (£700,000), and in the case of financial directors of UK-based companies, a potential custodial sentence.
The legislation will have an impact on all directors working across all industry sectors and not only applies to European companies, but any firm across the globe that processes EU data.
The consequences of a data breach are often most hard-felt when dealing with financial information. What with the nature of the data being processed, a leak of hyper-sensitive financial and personal details could cause a chain reaction of devastating consequences for any business.
Under the new law, all directors will be put under huge pressure to be more vigilant when it comes to data protection, since this data is particularly sort-after by criminals and they will most likely bear the brunt of the punishment if any data is lost or stolen.
For example, if a regulatory authority decides to carry out an investigation, all directors can be held personally liable if it is considered that they demonstrated ‘consent, connivance and neglect’ in relation to a data protection breach. The burden is on the individual and in order to counter this, they must demonstrate that they took action to minimise the risk of a breach. It is not enough to simply claim ignorance.
The reporting requirements created by the legislation are also fairly onerous. Directors are obliged to notify the authorities ‘within a reasonable time’ if a breach is discovered, while making those affected aware that their privacy may have been compromised.
Any investigation into how and why a breach of data occurred will be a lengthy process, whereby finance directors may be subject to a series of interviews. It is worth noting that the personal costs incurred due to this process can be sizeable, especially if they require legal representation during an interview.
Directors may also be at risk of backlash from shareholders following a data breach. It is not uncommon for a business to experience a fall in market confidence as a result of a breach in data security, and this could potentially lead to a decline in the share value of the company. In these circumstances, shareholders have the right to pursue a legal claim against the director. This scenario almost materialised recently in the case of Tesco, where shareholders threatened to sue the senior management team for lost shareholder value, in the wake of the high-profile alleged accounting scandal.
Other considerations include the risk to personal assets, then there is also the loss of customers and reputational damage, which often follow a breach of data – these are further costly losses that can leave huge holes in a business.
Although the new law has not yet come into force, there have been historic breaches which almost certainly would have resulted in directors being investigated, had the regulation been in place at the time. The high-profile hack of US discount retailer Target is a good example, where attackers stole 40 million credit and debit card details thanks to poor security on the point-of-sale systems.
Examples such as this, along with a string of other recent high-profile breaches, have made the business community and those responsible for confidential information much more conscious of the importance of data protection.
Directors and officers’ (D&O) liability insurance will become much more important once this new legislation comes into play. It’s essential that all board members, including FDs, make themselves aware of what they would be responsible for in the event of a data breach. For example, if an outsider was able to access the corporate system and extract bank and salary details due to lax security on the server, the FD could be held liable due to negligence as they would ultimately be responsible for the security of the data.
In preparation, businesses and FDs should review their D&O insurance policy in order to ensure it protects against financial losses including fines, the seizing of assets, company devaluation, or the cost of legal representation in the wake of an investigation and/or legal proceedings. This D&O insurance can provide a safety net in the event of a data breach, enabling businesses to focus on patching vulnerabilities in the system in order to avoid any similar scenarios in future.
Given that the European Council is currently in the process of replacing the directive with a more binding regulation, the new rules could come into force as early as next year. It is therefore essential that FDs and senior managers take the time to understand the legislation, fully review company practices and set in place a water-tight system of checks and balances to ensure the best possible protection against a data breach. They also need to seek professional advice and discuss the coverage of the D&O insurance policy to ensure that it covers as many potential losses as possible in case the worst should happen.
Alex Traill is a partner in the professional indemnity team at risk and insurance law business, BLM