Not to invest appropriately to minimise the risk of data breaches is to ignore the almost inevitability of a breach and the legal obligations imposed upon businesses, writes Farrer & Co’s Julian Pike
COMPANIES processing personal data already have a duty to ensure that there are appropriate technical and organisational measures to protect against breaches. When they fail, the Information Commissioner’s Office (ICO) currently has the power to impose fines of up to £500,000.
That figure may be enough to see the value in taking appropriate measures to reduce – you can never eradicate – the risk. However, when you consider the average cost of a data breach is said to be between £600,000 and £1.5m, the need to take protective steps is obvious. When the General Data Protection Regulations (GDPR) supersedes the Data Protection Act (DPA), which is due in 2018, the balance tips even further towards taking action.
Under the GDPR, the ICO will have the power to impose fines for data breaches, depending on the nature of the breach, of up to 4% of a business’ global turnover or €20m (£15.7m), whichever the greater. In addition to the fine, the real cost will include the direct associated costs with handling the breach; any compensation that might be payable; and the reputational harm caused by the breach. The latter may be unquantifiable, but in extreme cases it may be terminal. Does anyone expect Mossack Fonseca to be in business in 12 months?
When a breach occurs, a business needs to know what it is facing. The hack last year on TalkTalk costs the company at least £50m, not helped by the fact that it had no idea at the outset how many customers were affected or indeed how the breach had occurred. Whilst the reality was less than first feared, it is no coincidence that some 250,000 customers are said to have left TalkTalk in the wake of the incident. Had the company been better prepared – this was the third attack in about six months – and actually understood the extent of the problem straight away, much of the harm would have been avoidable. As ever, how a business deals with a crisis says a great deal about it: a crisis can damage a brand, but it can also enhance it.
In replacing the DPA, the GDPR builds upon and extends the current law. The “integrity and confidentiality principle” will continue to impose an obligation to process personal data in a way that ensures “appropriate security” by using “appropriate technical and security measures”. What is “appropriate” will take account of such factors as the nature of the information, the purpose of the processing, the organisation’s capacity, the costs of protection and the risk of loss or unauthorised use.
The GDPR will also impose upon businesses processing personal data a duty to:
- co-operate with the ICO;
- process data securely by appropriate means such as encryption; to be able to restore information effectively; and to test systems regularly;
- notify the ICO within no more than 72 hours of a breach unless it is unlikely to affect the rights and freedoms of those affected;
- notify individuals that the security of their data has been breached; and
- follow any relevant sector regulatory codes.
These duties will be enforced by the ICO having the power, amongst others, to carry out investigations; to obtain access to a business’ premises; and to ban processing for a defined period of time. The ICO will be no toothless regulator.
When examining what happens today in the best prepared organisations, the GDPR can effectively be seen as imposing best practice to minimise data breaches by way of regulation.
Use the time wisely
2018 may be thought to be some way off: it is not. It will take almost any organisation some 18-24 months to put in place the necessary technical and organisational processes in order to comply with the new regime. Some companies may be close to the level of protections appropriate for their business. There are accreditation schemes to which organisations can apply and become accredited (e.g. Cyber Essentials Plus and ISO27,001). However, preparation should include:
- proper personnel vetting procedures for all staff and casuals;
- a suitable rolling training and education programme;
- appropriate levels of technical protection;
- clear policies of use for IT systems and devices and appropriate employee confidentiality obligations;
- consideration of those obligations the company should look for in suppliers and other external stakeholders;
- establishing a crisis management plan to deal with data breaches;
- a business continuity plan in the event of a denial of service attack;
- as well as identifying your internal leadership and crisis management team, know who your external advisers will be in case of a breach (e.g. computer forensics, lawyers and communication experts)
- considering the appropriate level of insurance; and
- conduct simulations and regular reviews. Practice makes perfect.
A business today needs to view itself as a data business as much as it considers itself to be a manufacturing or service company. Only then will it fully address the risks it faces. Cyber protection should be a board matter. It is simply too important, both financially and reputationally, to ignore. As much as it is necessary for a business to meet its legal obligations, the ability to attract and retain customers may depend on it meeting best practice. Some sectors, such as banking, already demand appropriate protections. Technological developments have created amazing opportunities, but simultaneously significant risks which are global.
Julian Pike, a partner at Farrer & Co, heads the firm’s reputation management team