In EU law, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Here we look at the General Data Protection Regulation and the UK’s Data Protection Bill and consider the risks associated with data breaches and the scope for claims.
Data breaches are becoming increasingly risky for financial institutions. Because digital data is becoming more available and portable, any organisation, even if its controls are adequate, can find itself presiding over a data breach. The GDPR and the Bill in its present form list the financial consequences that a data breach might have for the organisation in question. These include:
- fines from the Information Commissioner’s Office (ICO) of up to the higher of 4% of an organisation’s annual global turnover or €20m (£17m);
- the right for affected individuals to seek compensation even if the firm seems to have done everything it can to prevent data from going astray; and
- reputational problems for the firm, including high-profile staff departures, bad publicity and a drop in its share price.
The causes of data breaches
Data breaches can arise through any number of internal or external causes. The Ponemon Institute’s 2017 cost of Data Breach Study (sponsored by IBM Security) examined data breaches across the globe and found that 47% of them were caused by malicious or criminal attacks (often by hackers and rogue employees), 25% were caused by human error (i.e. negligence) and 28% resulted from systemic glitches.
Data breaches in financial services
Financial institutions are among the most likely organisations to break the rules, owing to the quantity of personal data they hold, the sensitivity of such data and its potential value. A recent high-profile breach was caused by a cyber-attack on Equifax last summer, when 15.2 million records in the UK were compromised. Notably, only 3% of them pertained to direct customers of Equifax. The remainder were customers of other organisations, including financial institutions, whose information had been passed to Equifax when they applied for new bank accounts and the like. As a result of the breach, Equifax has already had to take steps to advise and protect the information security of about 700,000 British customers who were placed at risk of financial fraud, including identity theft. More recently, Equifax has announced that it will also be writing to another 167,000 British customers whose landline details were obtained during the breach (even though these details were available in public directories).
Open Banking came into effect on 13 January. This requires the UK’s largest current account providers to share their customers’ data. Everybody expects this development to lead to more competition and better choice for customers, but it is clear also that as more parties have access to customers’ data, more data breaches are likely.
Data breaches – the costs
Because large-scale breaches in the style of Equifax are likely in future, the financial consequences for banks and other financial institutions could be far reaching. The potential for a fine from the ICO has, perhaps wrongly, received the most press attention to date. Everybody knows that the office will be able to impose fines of up to 4% of annual global turnover or £17 million, whichever is the higher. However, Information Commissioner Elizabeth Denham has commented that “issuing fines has always been and will continue to be, a last resort” and that “focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point”.
Therefore, although people will have the option of complaining to the ICO and a right to ask judges to review its decisions, this will not always provide them with the financial remedies that they feel they deserve. The power to award compensation will remain with the courts.
Current legislation contains a right to compensation for financial loss. However, in Vidal-Hall v Google, the Court of Appeal extended this to include compensation for individuals who suffer “mere distress” as a consequence of a breach, even if they have not suffered financial loss. This right to compensation for distress is now enshrined in the GDPR.
An additional cause for concern for financial institutions will be the recent High Court’s decision in Various Claimants v WM Morrisons Supermarket plc. In January 2014, an employee of Morrisons leaked 99,998 employees’ records online. This included employees’ names, addresses, dates of birth, phone numbers, National Insurance numbers, bank account details and salary details. In short, enough information for identity theft. The employee gained access to this personal information because he was a senior IT auditor, charged with the task of compiling and passing the information securely to an external auditor.
The court determined that Morrisons was not primarily liable or directly at fault for the data breach, having exercised “adequate and appropriate controls,” but it did hold that there was “sufficient connection between the position in which [the auditor] was employed and his wrongful conduct.” Consequently, Morrisons was held vicariously liable for the employee’s actions.
This decision is likely to cause concern for organisations, who may have done everything in their power to prevent a breach, but can still be found liable for the actions of a rogue employee. Organisations will also need to be conscious of the fact that neither the GDPR nor the Bill either expressly or impliedly excludes vicarious liability, meaning that this ruling (subject to appeal) could set the bench mark for data protection after 25th May when the EU regulation comes into force. The decision at trial related only to liability, with the quantum of solace still to be decided. However, given that large data breaches can affect millions of customers, even a modest award per individual could lead to organisations having to make exorbitant payments. A decision about compensation in the Morrisons case is likely to set a benchmark for damages thereafter. In the meantime, Morrisons has been given leave to appeal against the decision and will probably do so – not least because the case will set a precedent for the remaining 95,000 people who were affected by the breach and who might make their own claims for compensation.
The Morrisons case also shows that if a data breach affects many and their claims give rise to common or related issues of fact or law, the courts have the power to hear many claims under a group litigation order. One data breach can affect millions of individuals, so data breaches lend themselves to this type of mass litigation.
In addition to the onerous fines and litigation costs that data breaches can bring them, organisations have to anticipate other financial losses as well. Data breaches naturally receive attention from the press and organisations tend to recover from them more swiftly if they handle publicity well. Equifax’s stock price plunged when its troubles came to light and it is still trying to rebuild its image with shareholders. Its customers are also keen to know about the steps it is taking to stop any breaches in future. Regulatory fines, then, are likely to be among the least of firms’ problems when they fail to protect personal data in future: reputational problems and damages awarded to customers are likely to cost more in the long run.
* Richard Hayllar can be reached on +44 (0)333 006 0436 or at richard.hayllar@TLTsolicitors.com. His co-authors are associate Emily Black and solicitors Alanna Tregear and James Tithecott.