Data breach is a ubiquitous threat for all organisation and exists regardless of their size, location or industry. The UK Government’s Cyber Security Breaches Survey 2022for example reported that 39% of UK businesses identified actual or attempted cyber attacks in the previous 12 months.
This figure does not include non-cyber data breaches resulting from causes such as emails sent to an incorrect recipient, the accidental loss of devices or paperwork containing personal data, the incorrect disposal of hardware or paperwork, unauthorised access by disgruntled employees or leavers trying to take customer data with them. All of these issues can give rise to significant business impacts and legal exposure.
Sadly, the reality (as evidenced by the above statistic) is that even those businesses with the best technical and operational controls will suffer breaches from time to time. The penalties in the UK and EU for a failure to prevent a breach can be severe and can include everything from informal admonishment, to financial penalties of up to 4% of an organisation’s global turnover or €20m/£17.5m (whichever is the higher). By way of example, British Airways received the largest UK fine of £20m in relation to a cyber-attack in 2018 and, more recently, a construction company, Interserve Group received a fine of £4.4m for a failure to prevent a cyber-attack.
Given this risk, it is incumbent on organisations to put in place measures to help reduce the risk of a breach occurring and to mitigate the effects when it does occur. In this article, we give a brief overview of the sorts of practices which are expected under UK and EU law and regulation both pre and post breach.
Although we approach the issue primarily from a UK perspective, the GDPR was incorporated into UK law at the time the UK left the European Union (being incorporated into UK law as “UK GDPR”),the two data protection regimes remain materially the same in most respects. That said, national regulators often take somewhat different approaches to implementation and enforcement of the same regulations, so we would always recommend that advice be taken in the relevant jurisdiction.
Pre-incident measures
The GDPR sets out the legal and regulatory expectations about the sorts of data security measures which organisations should have in place to prevent data breaches. Non UK/EU processors still need to pay heed to the GDPR, as it has extraterritorial effect; for example, where an organisation has a base or where they offer goods and services to individuals based in the UK/EU.
The Regulations require organisations to handle personal data in a way which guarantees an appropriate level of data security against unauthorised or unlawful processing and accidental loss of data, by having in place “appropriate technical or organisational measures” (see, for example, Articles 5(1)(f), 24 and 32 of the GDPR). The GDPR requires the level of security to be appropriate to the risk. So, if, for example, an organisation routinely handles significant volumes of personal data, or deals with highly sensitive personal data (such as medical records or financial information), then the expectation would be that more stringent measures are put in place.
How can organisations demonstrate that they have complied with regulatory expectations? The GDPR gives some suggestions of appropriate measures, but they are far from exhaustive. Measures include the encryption and pseudonymisation (through hashing and tokenisation)of personal data, so as to provide an added level of security and reduce risk when sharing data, will all help to create a regulatorily defensible position. Organisations should also consider organisational measures such as minimising data collection and putting in place policies and processes to ensure personal data is not kept for longer than necessary.
Other common measures include delivering relevant training to staff, implementing effective policies, physical measures preventing access to data, confidential waste disposal, firewalls, comprehensive back-ups and endpoint detection and response. Whilst not all of these measures are specified by the GDPR, they are important tools in demonstrating that organisations have appropriate technical and organisational measure in place.
Having these measures in place does not, however, guarantee that they are effective and Article 32 of the GDPR also expects organisations to have processes for testing and evaluating their effectiveness, for example through penetration testing, vulnerability scanning and testing disaster recovery and business continuity plans.
Even if an organisation is well protected, it can remain vulnerable to risks in its supply chain and from business partners if they are processing personal data on its behalf. Organisations therefore need to take appropriate steps to ensure these third party processors have put in place appropriate technical and organisation measures (see for example Article 28 GDPR).
In addition to the GDPR, critical service providers in the UK and EU (for example organisations involved in energy, transport, water, healthcare, online marketplaces, search engines and cloud computing services) must have regard to the Network and Information Security (NIS) Regulations. Whereas the GDPR’s focus is on protecting personal data, the NIS Regulations focus on improving security standards. Similarly to the GDPR, they require relevant organisations to put in place appropriate and proportionate organisational and technical measures to ensure the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes
In November 2022, the EU adopted a directive which aims to address perceived deficiencies and future-proof the existing NIS directive (the NIS2 directive).Whilst the UK is also planning to update NIS, the UK proposals are somewhat less prescriptive and this may lead to divergence between the UK and the EU NIS regimes, so critical service providers will need to be mindful of their compliance obligations under both regimes.
Post-incident response
If a data breach occurs, the affected organisation must act quickly. Under Article 33 of the GDPR, data controllers need to notify the relevant data protection authority of the incident with 72 hours (the Information Commissioner’s Office(ICO) in the UK) if there is a risk to the individuals whose personal data was impacted.
Individual data subjects will also need to be notified if they are at a high risk of harm (per Article 34 GDPR). Data controllers should identify affected individuals as early as possible and are required by the GDPR to notify them without undue delay. Individuals may be able to initiate claims for distress or financial losses cause by data protection breaches, so clear, swiftly-delivered communications are also key to ensuring that customer relationships are maintained and litigation is avoided.
Depending on the industry of an affected organisation, it may also be necessary to notify other regulators who will have their own requirements. In the UK, for example, organisations regulated by the Financial Conduct Authority(FCA) must notify the FCA of material cyber incidents (in compliance with Principle 11 of the FCA Handbook). While the FCA does not have enforcement powers relating to a breach of the UK GDPR, per se, it has the power to take enforcement action for breaches of FCA rules, for example relating to failures in systems and controls.
Similarly, the NIS Regulations also require impacted relevant operators to promptly notify the ICO or, for some operators of essential services, their designated industry authority, about incidents where there has been a substantial impact on service delivery.
Finally, it might also be necessary to consider if individuals or data held in other jurisdictions have been affected, in which case the organisation’s regulatory obligations in that country must be taken into account.
Conclusion
There can be serious reputational, financial and legal consequences when organisations get this wrong – it pays to put measures in place and to get them right the first time. John Edwards, the UK Information Commissioner, recently said of the risk of cyber incidents:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a…fine from my office.”
Given these risks, the topic of data protection and cyber security should be a regular feature on C-suite agendas.