A legal perspective on data breaches and home working

The ICO’s stance

In response to Covid-19, the UK Information Commissioner’s Office (ICO) published a short statement for organisations entitled Data protection and coronavirus: what you need to know. This provided some helpful guidance on the ICO’s position regarding data security.

The ICO states: “During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”

In practice, this means that remote working is not an excuse to implement less stringent security measures than you would have otherwise had in place. The standard remains that organisations must ensure that an appropriate level of security is applied to the personal data that they process.

Data security does not end with system security – careful consideration must also be given to the disposal and transportation of documents. The ICO has in the past fined organisations for not disposing of documents containing personal data in a secure manner. All home working policies should cover guidance on how employees should be dealing with documents when working remotely.

Does Covid-19 alter the breach notification thresholds?

While the ICO’s statement did not specifically address data breach notification, the regulator has previously commented in relation to a possible delay in responding to data subject rights requests with “we can’t extend statutory timescales”.  

When applying this to data breach notification, organisations should continue to plan to notify within 72 hours of being made aware of the incident.

In addition, the current circumstances do not affect the thresholds for breach notification – in layperson’s terms, notification to the ICO is required where there is a risk to the affected individuals and notification to the affected individuals themselves where there is a high risk.

Will the ICO exercise any leniency?

The ICO’s statement indicates a degree of pragmatism but falls short of complete leniency.

“We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.”

Organisations should remember that, in order to notify, they do not have to know every detail about how the breach happened and who has been affected. Indeed, the ICO allows organisations to file a follow-up notification form once the organisation has concluded its investigation into the incident. This approach would allow an organisation to meet its statutory obligation.

What happens if your business suffers a data breach during lockdown?

An organisation may still suffer a data breach despite having appropriate security measures in place. It is therefore crucial to have an incident response team ready to deal with a breach.

In these unprecedented circumstances, our view is that it is not enough to merely have an incident process in place that you should follow – it is important that certain contingencies are put into place.

Employees should be made aware of who they need to contact within the incident response team to notify a breach. Typically, employees notify their data protection officer (DPO) via email. However, in present circumstances, this approach poses a risk to organisations during a period of lockdown where we are all relying on our IT systems and there is a strain on broadband as a result of everyone working remotely.

Therefore, emailing your IT team or data protection officer (DPO) may not be the best option in the event of a breach as there could be a delay in these emails being picked up. Alternatively, where you only have one individual to report a breach to, you also have a single point of failure.

To overcome these concerns, organisations should consider making available the telephone numbers of the incident response team to employees so that a data breach can be notified and escalated in a timely manner. Alternatively, organisations can set up a 24/7 breach hotline that is managed by a team of individuals who will be able to escalate the breach as required.

The incident response team should be well-trained on the incident response process, but also on the contingencies that have been put in place in accordance with their business continuity process. This would enable them to handle a breach in an efficient manner in these circumstances.

When dealing with a data breach, organisations will need to make the inevitable decision as to whether or not they will notify the regulator. Reaching this decision can require sign off from certain individuals such as the general counsel. As part of your incident response and business continuity process, thought should be given to who matters will be escalated to for decision-making if their key decision-makers are absent from work.

Finally, prudent organisations would be well-advised to test and trial run their notification processes as we all adapt to this new way of working.

Sabba and Michael are Senior Associates in the Fieldfisher privacy, security and information law team.