Barely a day passes when there is
no fresh news of another data breach. In the digital age information is like
money and therefore worth stealing. It now matters when information that is
valuable is handled without due care as it can be spread around the world to
large numbers of people with ease.
We are at the start of
understanding the extent of the financial liabilities in this area as cases
such as the massive Yahoo breach work its way through the system. To get a
sense of the scale of possible liabilities see the Yahoo class action suit here
The cynics might argue that the
response of business Directors and Boards to the cyber threat falls into three
main buckets;
1. Do
nothing and blame the IT people if there is a data breach (most common).
2. Do
something (get it minuted) and blame the IT people if there is a data breach.
3. The
experienced IT people persuade the Directors / Board to invest in a smart bit
of kit that generates amazing graphics, goes ping a lot and then blames the
vendor of the kit that looks good and goes ping if it goes wrong. Job done and
blame shifted nicely.
The scope of this post is to
identify the potential legal pressure points that put liability directly onto
the Directors and Board of Company for cyber breach and therefore progress the
nature of the debate in this area.
Directors have always owed legal
duties to companies of which they are Directors. The Companies Act 2006
codified these into seven separate duties.
Two of the duties are
particularly relevant;
Section 172 – duty to promote the
success of the company.
Section 174 – duty to exercise
reasonable care, skill and diligence.
Under 174 in particular the high
profile nature of cyber risk is likely to make it necessary, to meet the test
of reasonableness, that proper care is taken to protect information.
Beyond the fairly general duties
of the Companies Act we also have the Data Protection Act which is soon to
become the GDPR. The Data Protection Act (and its 8 core principles) is the key
legislative framework in the cyber area and with the new GDPR coming into force
next year the maximum fines are rocketing from a maximum of £500k to 4% of
turnover.
Section 61 of the DPA makes it
clear that when an offence under the DPA has been committed and it can be
attributable to the neglect of a Director then “he as well as the body
corporate shall be guilty of that offence”.
Potentially therefore could
Directors be liable for up to 4% of the turnover of the companies they work for
under the GDPR?
The ICO seems keen to ensure that
data protection and its sub-set of cyber security become a mainstream board
issue and therefore when the next TalkTalk happens it may well not be enough to
point the finger at the IT people, say you can barely switch on a computer and
rapidly exit stage left.
Directors of companies which
process sensitive personal data (which includes CCTV) are going to need to take
a much more robust approach to personal data management and cyber risk under
the new GDPR regime to avoid finding themselves exposed personally.
Some simple steps to reduce
liability for Directors could include;
1. Have
a data protection officer who understands the risks and regulatory framework.
2. Have
a simple written data protection and cyber policy regularly communicated and
updated.
3. Insist
on an independent digital audit to check for glaring weaknesses and
vulnerabilities across all 8 principles of the DPA – not just security.
4. Ensure
extra care is taken with any sensitive personal data.
5. Independently
audit your data supply chain / hosting providers.
6. Don’t
collect data you don’t need. You may be building a bigger liability than asset.
No comments:
Post a Comment