Once bitten… the dangers of cynicism about the consequences of data breaches
Will Richmond-Coggan , Data Protection and Cyber Risk Director in our Technology & Life Sciences Group at Freeths LLP looks at the dangers around breaches of data.
I am old enough, just, to remember a time before Covid, a time before Brexit, a time (even) before the GDPR came into force. In particular, I remember that a lot of my clients were getting terribly exercised about the possibility of enormous fines from the Information Commissioner (or ICO), every time they mishandled data. Ah, such innocence!
Such fears did not come from nowhere. A great many vendors of cyber and GDPR risk management solutions (including, I am sorry to say, a number of lawyers who really should have known better) were quick to seize on the headline-grabbing maximum fines of 2% or 4% of annual global group turnover, suggesting that fines of this level awaited anyone who put a foot out of line.
Three and a bit years on from GDPR coming into force, a great deal has changed. Yes, there have been a few (a very few) large fines, although the ICO has had to scale back two of the largest, against British Airways and Marriott hotels. In most board-rooms, the risk posed by such fines is viewed more realistically, even cynically. But just as that illusory threat has receded, a far greater and more tangible threat to businesses has begun to emerge.
Your business will almost certainly have repositories of data. It might be payroll information about staff; it might be customer mailing lists, it might be credit card information from online transactions. If you are a responsible (and GDPR-compliant) business you should have technical and organisational measures in place, appropriate to the risk presented by a disclosure of that data, in order to safeguard it. These measures are, in large part, what is meant by cyber-security. They might include firewalls, file encryption, access controls or policies around the retention and secure erasure of information.
No such measures are fool-proof, however. If (when) your system is compromised, and the data is accessed, you will need to take a number of urgent steps. First, as soon as it is detected, you will have to secure your data. This can be easier said than done when malware has been installed on your system, particularly if it has been lying dormant for a while and is therefore also saved on your backups. Second, you will need to consider who the breach needs to be reported to: the ICO; affected data subjects; and/or corporate customers, investors or other stake-holders. All of this needs to be done urgently, and often within 72 hours of discovering the breach.
This is where the real risks arise. As soon as news of a data incident reaches the public domain (and often long before anyone really knows what has happened or who is at fault) we are seeing claimant law firms putting up specific web pages promising compensation to affected individuals, and aggressively targeting those individuals through social media and search engine (adword) advertising.
These firms assert that such claims are able to be pursued even where there is no evidence of financial harm flowing from the breach. If a claimant says that they have suffered anxiety and distress as a consequence of the incident, they will make a claim on their behalf, promising to get thousands of pounds of compensation for even the most trivial of breaches. I have seen a recent claim for compensation where a letter was sent to the wrong address and returned unopened, for example. In addition to the frequently exaggerated claims for compensation, the law firms are also running up costs which, together the unrealistic expectations they encourage in their clients, prove to be an enormous barrier to resolving the claims.
Nor, unfortunately, is cyber risk insurance always a solution to this threat. As the rate and scale of these claims increase, we are also seeing a number of insurers who were happy to sell such policies being rather more reluctant to stand behind them. This has the effect of narrowing the availability of cover for costs involved in the remediation and notification steps set out above. But it can also impact on insurer engagement during those first crucial 72 hours. Often businesses are forced to go ahead without the approval of their insurer for fear of losing vital time in their initial incident response activity.
It is not all bad news. Cases (a number of which we are involved in) are making their way through the Courts in an attempt to clarify and restrain the scope for these extravagant claims. Some excellent and responsible cyber insurers are emerging with considerable expertise in incident response and support for affected businesses. Whether these will have the effect of bursting this new litigation bubble remains to be seen, but for now the risk remains. Appropriate safeguards and readiness testing can help to manage that risk, but it must be taken seriously.
Will Richmond-Coggan is a Data Protection and Cyber Risk Director in our Technology & Life Sciences Group at Freeths LLP. He is regularly instructed by corporate defendants in connection with cyber readiness, incident response and large scale data breach litigation.
M: 07971 380744
Delivering Results, Thinking Differently, Building Trust