Katherine Gibson: What we can learn from infamous data breaches
Katherine Gibson, who recently spoke at a GDPR Summit in London, explains what lessons data controllers can learn from high-profile data breaches in the post-GDPR world.
Firstly, data breach prevention and data security are critical.
The most recent high-profile data breach concerns the unauthorised access of around 1.2 million customer records held by Dixons Carphone. This is the first high-profile breach under the GDPR, but not the first time this company experienced a breach. Indeed, the company was fined £400,000 in January 2018 as a result of a failure in security which affected over 3 million customers and employees.
TalkTalk is another company that has suffered a number of high profile data breaches. The company took the dubious honour in 2016 of being the first company to have been issued a fine of £400,000 (the highest fine awarded to date) as a result of a major security breach.
These cases are a reminder that reasonable and proportionate steps to secure data security must be taken to protect data (and that companies should take action on any issues identified by the ICO).
At the Summit, areas for particular focus included email, Cloud storage and supplier relationships. It is also critical to review and learn from any breaches, taking steps to remediate and mitigate the issues that led to the breach.
Secondly, these protections are not just limited to cybersecurity.
The Morrisons case serves as a cautionary tale to all employers and reinforces the importance of insider threat assessment. Morrisons was held vicariously liable for the deliberate disclosure of data by a rogue employee, although little more could have been done to prevent the data breach in the first place.
The key takeaway is the need to take all reasonable steps to ensure that data is secure – including in respect of the threat posed by employees. Those discussed at the Summit included internal monitoring, vetting and auditing (although these activities present their own challenges under the GDPR), as well as ensuring that employees have proper training and supervision in place.
Thirdly, controllers need to consider possible litigation as well as reporting and responding to the breach.
On top of the fine described above, TalkTalk paid over £20 million in compensation to affected data subjects. Litigation resulting from data breaches is often high in value as nominal damages are multiplied by the size of the affected group. This trend continued in the “Google You Owe Us” action and the Morrisons case. Indeed, exposure will only increase under the GDPR. It will be easier to bring claims as there is no need prove financial loss and third parties can bring class-style actions on behalf of the affected group.
Companies must ensure that they can adequately defend claims as well as meet their obligations. They should consider communications with data subjects and carefully document the investigation.
Participants in the Summit also suggested the use of cyber insurance products to protect against the risk of these claims. Companies should also review the terms of contracts with processors to ensure that the risk of claims is properly split.
Finally, clear, effective and responsive communications are important to protect the reputation of the business.
Whilst it is important to try and prevent data breaches, companies must respond quickly and effectively if they do occur. The MyHeritage breach underlines the value of making clear communications and working to rebuild trust. The MyFitnessPal breach is another good example, as they were able to understand the extent of the attack and share this quickly, which contrasts against the Yahoo email breach which took years to confirm. Those at the Summit agreed that it was important to be able to tell data subjects about the breach ASAP to allow them to take action to secure their own data.
Katherine Gibson is a legal director at DLA Piper