The two most harmful elements of a data breach are (i) the financial cost of rectifying the situation; and (ii) harm to reputation and trust. The two elements are obviously linked. This note considers a few of the key legal considerations in crafting an optimal PR strategy during a data breach.
Financial implications of getting it wrong
The fines under the new data protection legislation are eye watering, as demonstrated by the French data protection regulator (CNIL), which recently fined Google 50 million euros in relation to its purported lack of transparency in treatment of user data. The fines can now be as high as:
- 20 million euros (or equivalent in sterling); or
- 4% of the business’ total annual worldwide turnover, whichever is higher.
The UK regulator, the Information Commissioner’s Office (the ICO), has made it clear that businesses best able to respond to a breach, mitigating the potential harm to individuals, will avoid the harshest of its financial penalties. Mitigating harm to customers also mitigates the damage to reputation and trust.
Prevention is better than cure but it’s not possible to cater for everything
Prevention is obviously better than cure: best practice data management, ongoing investment in IT systems and training for optimal data storage and processing are paramount. Nevertheless, however much a business invests in its data management, even the most intensive, state-run security systems are vulnerable to criminal intrusion or criminal exploitation by insiders. For this reason, it is essential to couple robust preventative measures with an optimal response plan in the event of a breach.
In 2018, the Court of Appeal had to consider a massive data breach caused by an employee with a grudge, working for employer, WM Morrisons Supermarkets Plc. The breach involved the data of almost 100,000 employees, including disclosure of their salaries. Although Morrisons were found materially compliant with data protection legislation throughout, they were held vicariously liable for the employee’s actions. This was despite the employee acting against his employer’s interests. As one of the judges commented in the Court of Appeal, that is what insurance is for.
Brief summary of a business’s key legal obligations in the event of a data breach
There are strict self-reporting requirements imposed on business by the new data protection legislation. In the event of a data breach, two of data controller’s main legal obligations are as follows:
- to inform the ICO within 72 hours of becoming aware of a breach;
- to notify data subjects “without due delay”. The data controller must explain in clear and plain language what the “nature of the breach” is so that data subjects can take their own steps to mitigate harm to themselves.
On a practical level, discovery of a breach will lead to a list of necessary commercial actions which we do not propose to explore here. However, the list is likely to include immediately (1) involving lawyers who should then instruct any necessary IT forensic expertise on behalf of the business; and (2) involving any relevant insurer, thereby increasing the chance of any relevant insurance policy covering costs flowing from the breach.
Notifying customers of a breach
The legal framework means that a data breach cannot be buried or played down.
It is very likely going to play out in public. Therefore, there is an important role for a business’ PR team in crafting customer communications. In creating those communications, these are some factors to be borne in mind:
- “Without due delay” is open to interpretation and will be fact specific. If the breach involves the disclosure of customer financial details, it will be necessary to communicate as a matter of urgency so that they can take mitigating steps to protect their financial positions. In these circumstances, an email may not be enough.
- In deciding on messaging and in all matters relating to the breach, lawyers should be copied in and leading strategy for two reasons: (1) to ensure messaging and all other actions are compliant with the business’ legal obligations under data protection laws and any internal data breach policies; and (2) to ensure privilege covers internal exchanges and reports, such that communications, where the business’ legal position is explored, do not necessarily become disclosable to the regulator.
- It should be done with the greatest degree of transparency. Lack of transparency will often result in a heftier fine from the re¬levant regulator. Often, it will need to be an ongoing dialogue with customers/employees, rather than just one communication.
What not to do
The following ICO enforcement decisions highlight the importance of transparency at an early stage. While both cases were decided under the old data protection regime, the ICO’s findings remain relevant (save that the fines would now be significantly higher):
The ICO recently fined Uber £385,000 for failing to protect customers’ personal data during a cyber-attack. The breach involved a series of “avoidable” data security flaws, allowing the personal details of around 2.7 million UK customers to be accessed. Relevant customers were not informed about the breach for a year. It transpired that Uber had paid a fee of $100,000 to the hackers. Uber’s CEO was unaware that the hackers had been paid off. He commented in a statement issued to public about the breach that he had only “recently learned” of the breach.
The ICO recently fined Facebook £500,000 in relation to its management of data (this was the largest fine possible under the previous legislation). The data in question was collected via third-party Application thisisyourdigitallife. The Application gathered users’ photos and content of their messages. The ICO found that Facebook had not taken steps to ensure the Application operated consistently with its Platform Policy. Facebook was found not to have done enough to investigate. More fundamentally, it only cancelled user access rights to the App provider when the Guardian newspaper published an exposé.
Disclaimer: This note is for guidance only. It is not legal advice. In the event of a data breach, it is essential that you obtain urgent, specialist legal advice.