Data security – protect and survive
December 2015 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
The related issues of data privacy and data security have dominated the news agenda in recent months. First, on 6 October, the Court of Justice of the European Union (CJEU) ruled the current Safe Harbor regime ineffective, with the consequence that businesses that transfer data from the EU to the US may be in breach of EU and UK data protection legislation. The news has since broken of the TalkTalk security breach. The need to ensure the effective protection of personal data and protect against cyber crime, long left to IT departments, should now be a priority and standing item on boardroom agendas.
The Safe Harbor – what has happened?
Under EU data protection law, there is a general prohibition on the transfer of personal data to a country outside the EEA unless that country ensures an ‘adequate level of protection’ for the personal data. The European Commission (the Commission) has certified that a number of non-EEA countries do provide ‘adequate protection’.
A decision published by the Commission in 2000 (the Decision) set out that organisations should achieve an adequate level of protection for the transfer of data from the EEA to the US if they comply with the Safe Harbor privacy principles and the frequently asked questions providing guidance for the implementation of those principles issued by the US government.
In its October ruling, the CJEU held that the Decision approving Safe Harbor was invalid. The ruling was prompted by an Austrian man who objected to Facebook’s transfer of his personal data from Ireland to the US.
The CJEU ruled that the Decision approving the Safe Harbor framework was technically flawed but there were also concerns regarding US legislation permitting US authorities to access electronic communications on a generalised basis and there was no US legislation enabling an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain rectification or erasure of such data.
The consequence of the CJEU ruling is that any business that sends personal data from the EU to the US that had previously relied on Safe Harbor to do so runs the risk of a fine or an order to suspend transfers. However, the Information Commissioner’s Office has said it does not intend to step up enforcement action in this area for the time being. There may even be companies that are not aware that they are at risk, particularly those using cloud-based services where the data may be stored in any number of locations.
There are alternatives to Safe Harbor, notably the use of approved ‘Model Clauses’ or ‘Binding Corporate Rules’ (BCRs); the latter are specifically designed for use by multinational companies. The adoption of BCRs requires approval by the regulator. For the time being, the Information Commissioner is telling businesses not to panic and to wait for guidance on how to proceed with data transfers to the US in the wake of the CJEU ruling. It suggests that a new improved Safe Harbor may emerge. There are steps that businesses can take in the meantime, beginning with a review of contracts involving the transfer of personal data, including cloud providers, to ensure that personal data is not unknowingly being transferred to the US. It would also be wise to undertake a risk assessment of what personal data is held and where, something borne out by the TalkTalk security breach.
It is a principle of the Data Protection Act 1998 (the Act), that personal data must be maintained securely. The Act specifically states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. Where a system is hacked, or where a rogue employee steals or leaks personal data, or a careless one leaves his laptop on the train with personal data accessible and unencrypted, there is on the face of it a breach of this principle.
The reputational damage that follows a high profile security breach may be more damaging than the regulatory fine that may follow. TalkTalk executives have been fighting a rearguard action to defend the integrity of their systems and reassure worried customers that they take data security seriously. If customers fear that unscrupulous third parties may be able to access their bank details because of the security failings of a service provider to whom they have entrusted those details, they will quickly take their business elsewhere. The consequences are potentially devastating for the company involved.
There may also be personal liability for the directors. Directors are subject to a statutory duty to exercise reasonable care, skill and diligence in their exercise of the company’s affairs. Fundamentally, it is the directors’ job to protect the company against risk and not ignore the new threat landscape.
The most important step for a board is to realistically appraise itself of the extent of the risk. The most damaging determination a board could make is that ‘it couldn’t happen here’ on the basis that a company is not high profile or data is deemed to be uninteresting to hackers. In fact, hackers target all businesses, large and small, and the smaller providers often make easy pickings. It is not just personal data that is of interest. There are thousands of lower grade IT attacks each year targeting financial information or IP which are less newsworthy than the TalkTalk breach but may be equally as damaging.
It is also something which can directly impact the bottom line. A company which has been hacked may face the possibility of a third-party claim from aggrieved consumers. Following a Court of Appeal ruling earlier this year, as the law currently stands in the UK, claims brought by individuals following a data protection breach may proceed even though the individual concerned may have suffered no financial loss. The loss or compromise of personal data may also impact relationships with business partners, possibly leading to a legal claim where the business partner has suffered loss as a result of the breach. Again, the reputational damage may outweigh the value of any claim.
Sectoral regulators are taking an increasingly proactive approach. For example, the Financial Conduct Authority (FCA) issued guidance for regulated businesses on fighting fraud and cyber crime in April this year. The guidance came with the statement that the FCA expects firms “to put in place systems and controls to minimise the risk that their operation and information assets might be exploited by thieves and fraudsters”. A failure to do so that results in a breach may result in sanctions.
The first step is to appreciate that ensuring data security and compliance with data protection law is a boardroom matter. Individuals should be appointed with clearly defined duties pertaining to establishing and maintaining data security with clear reporting lines up to the board.
If not already undertaken, a risk assessment should be carried out. This should involve an assessment of where personal data is held, whether any of the data is ‘sensitive’ (and therefore should be subject to enhanced security measures, such as encryption), and the effectiveness of systems’ security. Where the personal data is transferred to a data processor, there must be a written contract in order to comply with the Act, and the terms of that contract should be reviewed to ensure the data processor is obliged to maintain the data securely and process it in accordance with the requirements of the Act.
It would be sensible to devise an incident response plan so that, if a data breach does occur, directors and relevant staff know what to do. Legal counsel and PR staff should be involved. A clear strategy needs to be devised for informing both consumers and regulators. In light of the TalkTalk attack, the Information Commissioner, Christopher Graham, criticised the company for a delay in notification of the incident.
Finally, staff should be trained on their data protection responsibilities and policies adopted. For example, more and more employees are bringing their own devices to work. This presents data protection risks and staff should be trained on what the risks are and how to manage them.
Above all, there needs to be top-down cultural recognition that data security is fundamental to managing the business. It is not a subject that can simply be delegated to IT functions and then ignored.
Daniel Newbound is a director and Hayley Lawrence a solicitor at Walker Morris LLP. Mr Newbound can be contacted on +44 (0)113 283 4560 or by email: firstname.lastname@example.org. Ms Lawrence can be contacted on +44 (0)113 283 4488 or by email: email@example.com.
© Financier Worldwide
Daniel Newbound and Hayley Lawrence
Walker Morris LLP