Data Privacy and Security is now part of every organisation’s compliance requirements. The requirements of the General Data Protection Regulation (GDPR) impose rigorous obligations and compliance is required if those organisations have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
If an organisation fails to meet requirements, the consequences can be costly, not only in monetary terms, but also if customers make complaints and there is damage to reputation as a result.
Every organisation should be prepared and have a plan ready, which is made known to staff. Some key recommendations are:
- Prepare a data breach response plan and train staff on its contents;
- Identify how to remedy a breach in the event it does happen;
- Review supplier agreements to ensure they have reciprocal privacy and data breach notification requirements;
- Prepare a draft data breach notification, so that if there is a breach, the organisation can move quickly;
- Plan how notification will be undertaken and by which method; and
- The important thing is to be prepared and make sure everyone in the organisation knows of the data breach notification requirements and to understand what is expected, should a breach occur.
The plan should also reference related policies, such as a security incident response plan, to address the situation if there is a security breach, a data breach response plan, to comply with the requirements of the privacy legislation and a business continuity and disaster recovery plan, to set out how the business can continue to operate in the event of a security breach which affects your computer systems.
Many Insurance companies now provide cyber security insurance and each business should consider obtaining such insurance to protect against risks.
An employer can be vicariously liable for the actions of an employee who is responsible for a data breach. In WM Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339, a disgruntled employee, Skelton, uploaded personal data relating to Morrisons’ employees to file sharing website. When Morrison found out about the breach, immediate steps were taken to remedy the breach. Skelton was charged with fraud and offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 and was convicted and sentenced to 8 years imprisonment. The claimants then filed proceedings against Morrisons claiming Morrisons, in failing to prevent the breach, was primarily liable for breaches of the Act, misuse of private information and/or breaches of confidence or alternatively for vicariously liable. At first instance Morrisons held not to be primarily liable but held to be vicariously liable, which was upheld on appeal.
In relation to insurance, the court said at [78]:
‘There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees…’
“Many insurance companies now provide cyber security insurance and each business should consider obtaining such insurance to protect against risks.”
All organisations should make data privacy and data security their top priority and should no longer view this as an “IT” issue, but an issue for the business as a whole.