Consultant Abigail Healey examines the financial, legal and regulatory ramifications of data breaches

Consultant Abigail Healey discusses how “complacency” is now the biggest risk in enforcing against data breaches and hacking.

Abigail’s article was published in Thomson Reuters’ Regulatory Intelligence, 09 December 2022, and can be found here. Abigail’s article was also published in UK Tech News, 28 November 2022, and can be found here.

The UK’s Information Commissioner’s Office (ICO) recently issued a £4.4m fine against Interserve (a Reading-based construction company). The regulator clearly means business when it comes to enforcing against cybersecurity failings, while warning that “complacency” within a business – as opposed to outside hackers – is now the “biggest cyber risk businesses face”.

In 2020, hackers accessed the personal data of some 113,000 of Interserve’s employees through a phishing attack (an employee who was working from home forwarded a phishing email to another employee, who opened it and downloaded the contents). The initial email was not blocked or quarantined and the download resulted in malware being installed on the employee’s computer.  Interserve’s anti-virus software quarantined the malware and sent an alert, but Interserve failed to act appropriately in response.

In the wake of the Interserve fine, Information Commissioner John Edwards said companies should “expect a similar fine” if they don’t have proper cybersecurity protections in place. Mr Edwards said that, “This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud” As well as national insurance numbers and bank details being compromised, some special category data, such as disabilities and sexual orientation, were also compromised.

In issuing the eye-watering fine, the ICO identified Interserve’s failure to act appropriately in response to the initial suspicious activity alert, failure to update software systems, and failure to provide adequate data protection training to staff. Interserve’s lack of sufficient action amounts to a breach of data protection law, in that it failed to put appropriate technical and organisational measures in place to prevent the unauthorised access of personal information.

The UK government’s 2022 Cyber Security Breaches survey found that 39% of UK businesses had suffered a cyberattack in the previous 12 months. The report noted “a lack of technical knowhow expertise within smaller organisations and at senior level within larger organisations.” It said this inhibits an organisation’s cybersecurity and fosters “a tendency to take a reactive approach, viewing investment in cyber security as a cost rather than an investment”.

The risk-based argument for investing proactively in adequate cybersecurity should be crystal clear: the potential financial costs of a data breach due to cybersecurity failings can be enormous.

However, a regulatory fine is often merely the tip of the iceberg in terms of a company’s overall financial exposure to a major data breach. Companies may also face costly litigation, and suffer lost earnings as customers lose confidence. It will inevitably suffer serious reputational damage as news of its failings unfold on a rolling basis, potentially over a period of several years. An adverse ruling by the ICO is not only reputationally damaging, but if the regulator finds that there has been a breach of data protection law, it also serves as extremely compelling evidence to underpin civil litigation, rendering liability almost a foregone conclusion.

Damages claims for data breaches have become a hot topic in recent years. While class actions (such as in the case of Lloyd v Google) have not got off the ground, there is still the possibility of successful group actions being brought pursuant to a Group Litigation Order. And even though it is on a smaller scale, individual claims can also have far wider implications, with the possibility of that one claim opening the floodgates to thousands more.

Until further guidance is given by the courts, it also remains unclear what value might be attributed to data breach claims.  In recent years, claims companies have jumped on the latest bandwagon, encouraging individuals to make claims they are advised are worth thousands in damages for what is a low-level breach (i.e., involving common personal identifiers such as name and address).  Plainly, cases will turn on their individual facts, but companies may take some comfort from the recent case of Driver v CPS, pursuant to which breaches considered to be at the lower end of the spectrum may only attract damages in the region of £250.

Whether the Driver case and other recent judicial findings indicating that low-level data breaches aren’t the meal ticket claims companies have suggested they are has an effect on the tide of threatened or issues claims remains to be seen.

And if a significant number of staff or customers are affected, even claims in the low hundreds soon add up, as costs involved in engaging with potential claimants often dwarf the value of the claims, leaving the company with difficult commercial decisions to make. Boards may have to consider whether to pay up and risk opening the floodgates, or whether to fight a drawn out and costly legal battle in the hope that it will dissuade the masses from following suit.

Some data breaches will be far more significant, where more sensitive data is disclosed or where there has been special damage suffered as a result. These will inevitably attract far higher levels of compensation and require a nuanced approach in their management, depending on the facts. For example, this might apply where health-related data, or data concerning an individual’s sex life or sexual orientation is compromised. Or where payment card details are compromised and successfully used by fraudsters to the financial detriment of the data subject, in which case liability for those losses will inevitably be recoverable.

When it comes to cybersecurity, prevention is better than cure, and bearing in mind the risks, companies cannot afford to be reactive.  All organisations should consider preventing cyberattacks as a key priority. Precisely what steps companies need to take will depend on their business model and sectoral risks, and the sensitivity of the data held. Expert technical advice will usually be required.

Yet basic common-sense measures are often not taken, and if the Interserve fine is anything to go by, the regulator will be unforgiving if that is the case. For example, many companies fail to regularly update software, or to ensure that devices are secured with complex passwords which are changed regularly. When home-working increased during the coronavirus pandemic, many allowed unsecured personal devices to be used for company business.  Given that for many, home-working is here to stay, it is no longer an answer (if it ever was) to say that this was a temporary work around necessitated by the pandemic.

Companies should take advice on the use of technical measures such as VPNs, firewalls and spyware. Staff training is essential, as the human is often the weakest link. It is not enough simply to tick the box that staff have read a usage policy or undertaken training at some point in the past – this needs to be regularly undertaken, reinforced and ideally tested.  It should be given appropriate prominence and importance within the organisation and staff should be educated to understand the risks appropriate to the organisation or sector. They should also understand the risks of sharing information in a personal capacity (in particular on social media), not only exposing themselves personally but also, by implication, their employer. All staff should be able to identify the more unsophisticated types of phishing emails, but also to be aware that realistic looking emails can be sent by hackers, for example, impersonating colleagues. Realistic cloned websites are often used to harvest passwords or other data.

The fundamental aim of data protection is simple: to ensure that personal data remains secure and used for lawful purposes. To develop truly effective processes, companies need to have a genuine understanding of data protection principles and obligations. One thing is for certain: as more aspects of our lives move online, an increased regulatory focus on data protection is inevitable. Data protection is a key risk facing all businesses. It’s vital that companies invest in cybersecurity and in developing a real common-sense understanding of data protection.