Thursday, 6 October 2016

Yahoo: Directors liability for cyber breach : IP protection in the Digital Age

With only 20 months until the implementation of the GDPR large organisations such as Barclays have already put big teams and resources in place to meet the new requirements. With breach fines up to 4% of turnover and the requirements to maintain a personal data inventory and report breaches within 72 hours this will be a big challenge for the SME and Mid Size community. The requirements of explicit consent for processing sensitive personal data (likely to include video and voice) and a linked right to be forgotten will require significant resource commitment and expertise.

TalkTalk were fined a record £400,000 yesterday by the ICO for a very poor level of cyber security which is close to the maximum under current UK legislation. This is a wake up call for businesses handling personal data in the UK as fines will be much higher under the new regime. Dido Harding may be regretting that she did not obtain an independent view of her cyber safety levels and allowed her IT team to mark their own homework.

The Yahoo hack has made the news but most of the focus has been around its scale in terms of numbers of email addresses. The class action suit available HERE  alleges under Count V Negligence. The specific wording is "Defendant owed a duty to Plaintiffs and the other class members to exercise reasonable care in safeguarding and protecting their PI and financial information in its possession from being compromised, lost, stolen, misused, and/or disclosed to unauthorised parties".

Further in the suit it is suggested that that the identity thieves may wait for years to use the information gained and that therefore class members will need to be vigilant for years or decades to come.

The combination of negligence and the potential for decades of required monitoring points to a potentially huge damages number. This could be the end of the road for Yahoo and open the way for personal negligence claims against Directors in this area.


Taken together the regulatory regime in terms of personal data is significantly tightening up and the associated risk level is beginning to become clear. 

No comments:

Post a comment