10th February, 2016
What is it?
‘Cyber liability’ is a term used to describe the exposure to legal claims arising from the loss of personal data i.e. information, due to technical failures, employee negligence e.g. the loss of a laptop, or criminal behaviour such as hacking.
Is this something I need to be concerned about?
In an electronic world, people take the loss of personal information held by a third party very seriously.
Key assets are now often held electronically and illegally accessing that information can be done far more easily, and with less risk than conventional theft, from the comfort of a remote workstation, often abroad.
Businesses are also at risk from the malevolent hacker who simply looks to plant Malware designed to do nothing but disrupt the business.
Add to that the risk of technical and procedural failures e.g. failing to securely destroy old PCs, or more likely a disgruntled or negligent employee (a PwC report in 2015 found that 72% percent of UK employees had wrongly taken data away, and 52% thought it was theirs to take), the risk to a business of sensitive personal information getting into the wrong hands is clear.
Chris Graham, the Information Commissioner has made it clear. He has said: “Respect for information rights is not optional. Organisations that ignore their responsibilities will not only lose the confidence and trust of citizens and consumers but could face painful enforcement action from the Information Commissioner’s Office.”
What is the law?
The Data Protection Act 1998 imposes obligations on organisations that process personal data about living individuals. It provides for information to be processed in accordance with 8 data protection principles, the cornerstone of which requires that “appropriate technical and organisational measures should be taken against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data.”
What that means in practice will vary according to your particular circumstances, but depending on the current state of technology and the costs of implementation i.e. proportionality, appropriate measures must be taken to ensure a level of security appropriate to:
- The harm that might result from unlawful taking, or accidental loss; and
- The nature of the data to be protected.
In addition, reasonable steps must be taken to ensure the reliability of employees and to impose proper obligations on third parties.
What liability am I exposed to?
The Information Commissioner’s Office’s (ICO) powers are extensive and entitle it to: issue assessment and enforcement notices, grant it powers of inspection, the right to impose criminal sanctions, and to impose civil monetary penalties.
There are 4 tiers of fine, the largest being £500k. Under the proposed General Data Protection Regulation, which should come into force in 2018, those fines will only get bigger and could be as much as 4% of global turnover.
Add to the above the internal resource cost associated with investigating and handling a data breach/ICO investigation including senior management time, HR and third party spend, loss of confidence amongst staff and customers, likely adverse publicity, damage to reputation/brand, and possible effect on the share price, and it can be seen that cyber liability now represents a major corporate risk.
What examples can you give?
A whole range of public and private sector organisations have lost details such as employee payroll details, staff pension scheme information, tenant rent and arrears information, information about children and young people, etc.
Examples of fines imposed by the ICO include:
- Crown Prosecution Service – £200k fine after laptops with police videos stolen.
- Holiday insurance company – £175k after security failures let hackers in.
How do I protect my business?
Ask yourself the questions:
- Does my company have a structured system for protecting personal data?
- Do my staff know their responsibilities for protecting personal data?
- Do my staff care about protecting personal data?
If you cannot give clear answers, then your business is at risk.
Dealing with the above firstly involves management buy-in. An annual report prepared by PwC found that 22% of companies do not brief the board on security issues. It is vital that senior officers/directors with responsibility are given the resources to implement and monitor appropriate technical and organisational security measures including:
- The physical security of buildings, offices and work stations;
- Ensuring the safe disposal of old IT equipment and confidential waste;
- Staff training, identity and security checks; and
- Home working policies.
Businesses should also consider with their insurance broker whether they need to buy bespoke insurance to guard against this risk, or an extension to existing policies. Most importantly, a business should put in place a plan to cover the steps needed to be taken if a data breach occurs.
How can Ward Hadaway help?
For further advice on this issue and how best to protect your business, please get in touch with our technology dispute specialist Tim Toomey.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.