To report or not report, legal expert Emma Green on data breaches

Solicitor outlines the do’s and don’ts from a compliance and legal perspective after a cyberattack.

Discussion of cybersecurity and best practice on how to prevent attacks featured heavily at London DTX Expo. But what are the legal implications if an attack occurs and data is stolen? Emma Green, Managing Partner at Cyber Data Law Solicitors, guided delegates through the requirements after a data breach.

In the UK, data breaches are reported to the Information Commissioner’s Office (ICO), but not all attacks are required to be reported. Green explained the pros and cons of reporting even if you don’t have to.  

Don’t take it lightly

“Each breach can be different,” said Green. “The ICO can investigate you too, so don’t take reporting lightly. You can’t unreport if you got it wrong.”

She said it’s important to assess the risks and recommended not reporting until you can demonstrate there has been a data breach. She added: “If the ICO feels it’s a breach of legislation, it can issue sanctions, including a fine, and name and shame you.”

Gareth Neal, David McKenzie, Rich Fowler, Guy Golan, Emma Green and Guy Golan discussed cyber insurance, among other topics. Photo: Martina Lindberg

However, where a breach has actually occurred, there is a 72-hour window where reports must be sent to the ICO, starting from the moment the breach is noticed.

Failing to notify the ICO of a data breach when required can result in fine of up to £8.7m ($9.8m) or 2% of the company’s global turnover.

“If you see something on Friday, don’t wait till Monday.”

Emma Green, Managing Partner, Cyber Data Law Solicitors

“If you see something on Friday, don’t wait till Monday”, said Green.

Not all cyberattacks will necessarily be reportable, but companies need to report to the ICO if there has been a breach of personal data, and then assess the risks to the individuals concerned. That risk is defined as “any information in relation to an identified natural person, directly or indirectly”, for example credit card information. Even if there’s no name involved, such information is unique to the individual and can therefore be identified.

Rights and freedoms

If there has been a breach of personal data with the risk of adversely affecting individual’s rights and freedoms, the business must also inform those individuals without undue delay, Green explained.

Some industries are required to report other cyberattacks to the ICO, for example:

  • FCA-regulated firms must report material operational incidents; and also
  • Network and system infrastructure (NIS) breaches.
  • Under the Privacy and Electronic Communications Regulations (PECR), telecoms companies must report security breaches to ICO.

Cybersecurity insurance debated

Many leaders and speakers at DTX Expo had noticed a largern number of businesses taking out cyber insurance policies after the Covid pandemic. A consensus view on cyber insurance seemed to be that while it would not save you from an attack, it might help with covering the financial losses incurred as a result of an attack.

Despite this there was still a palpable reluctance to take out insurance for a number of different reasons.

For example, experts warned that while insurance could help with covering money lost through the payment of a ransom, it might not cover all costs, such as legal fees.

Another big decisive factor impeding wider adoption of such insurance policies was connected to the fear of becoming a target. In other words if hackers were to become aware that a company had insurance, they might view that company as an easier target or one where the likelihood of a ransom fee payment is far higher.

If anything it was this conclusion that really brings home the fact that cyberattacks have become the norm rather than an exception and the ecosystem in which hackers operate is sufficiently well developed for these nefarious players to engage in the equivalent of risk and reward analysis of their potential targets.

Reputational damage worse

Sometimes, it’s not the even the fine that is most damaging to the company who has been successfully attacked or who has not reported or addressed its customers data loss quickly enough.

In 2015, TalkTalk had a data breach in which 157,000 individual customer records were stolen, and the ICO issued a £400,000 ($453,000) fine. The following year, the company’s CEO announced that it had lost 100,000 customers, and cost escalated from approximately £30m ($34m) to £80m ($90m).

“It’s not the fines, it’s the reputational damage that is the worst,” said Emma Green.

If there’s any uncertainty, Emma Green advises for companies to always seek legal advice because such advice could

  • Help avoid an investigation and/or fine if reporting can be done properly; and
  • Save the company from being exposed to significant reputational damage and potential subsequent litigation.

UK GDPR Article 4 (1)

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

UK GDPR Article 34 (1)

  1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Source: https://uk-gdpr.org/

This is not a complete reproduction of what was said at this conference – it is an edited version based on the reporter’s understanding of what was relayed. This content has not been approved/endorsed by the speakers.