weerapat1003 - stock.adobe.com
You may know that sinking feeling if you’ve ever sent an important work email to the wrong person or that feeling of horror when you leave your work laptop on the commute home. When does an inconvenience become a reportable data breach by law? If your systems are hacked, would you know how quickly you need to act and what steps to take?
Where a business suffers a data breach affecting personal data – which is broadly defined and includes a security breach and unauthorised loss of data – there may be requirements to notify the Information Commissioner’s Office (ICO) and the individuals affected as soon as possible.
The General Data Protection Regulation (GDPR) requires the ICO to be notified no more than 72 hours after having become aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. An individual whose personal data is subject of a data breach must be notified where the breach is likely to result in a high risk to their rights and freedoms.
These notifications must include information on the nature of the data breach, likely consequences, measures taken or proposed to be taken, and other details.
Identifying what has happened quickly can help you decide whether notification is necessary and further steps are needed. The GDPR principle of accountability means that any business responsible for personal data should be able to demonstrate compliance and document reasons for the decisions taken.
We frequently advise on urgent and time-critical data breaches and have set out some actual examples of common data breaches and factors we have advised on when considering whether notification is required.
Hacking attempts are more common than ever before and can be carried out by a well-trained group as a part of organised crime or a lone hacker.
We regularly see instances where phishing emails are mistaken for genuine emails and our clients are often unsure what to do if their systems are subsequently compromised.
If a company email account is hacked, you must take steps to identify what you can do about the hack. Does it look like a targeted approach by professionals or a single individual? This could be determined by identifying the number of IP addresses involved.
If a more professional approach has been taken, this may indicate that the risk of identity fraud is higher, increasing the likelihood that you are required to notify the individuals affected. However, if the information obtained cannot be used to commit identity fraud, you may determine that the notification thresholds are not met.
Questions are raised when a hack takes place – for example: Was access obtained to every mailbox? Have personal emails from the hacked account been sent containing any sensitive information? Are there any images of family members and other individuals’ personal data unconnected to the business, because they may also need to be notified?
If your business is subject to an attack, you should review your security software, such as antivirus alerts and server logs, to see if you can identify the specifics of the attack. You may need to contact your external IT or cloud providers for assistance, as they should have a better understanding of your systems. This is where your IT and insurance contracts are key – they should set out the support you can rely on in the event of a breach.
The police’s cyber crime arm, Action Fraud, should be notified if you have been hacked and if fraud is suspected or likely. It is also vital that senior decision-makers are available to ensure rapid decisions can be made.
The mistaken email recipient
One of the most common data breaches is sending an email to the wrong person. Whether to report will depend on the recipient and the nature of the personal data contained within the email.
One example we saw recently was where a client wrongly disclosed sensitive data as part of a subject access request made by a former employee. We helped the client to determine the nature of the personal data disclosed and whether this was reportable to the ICO. This involved a detailed fact-finding exercise with the client where we worked with their data protection officer and other senior management to determine the most appropriate response and the remedial steps required.
If something similar happens to your business, can you recall the message, meaning that the risk of any harm is lower? Can you contact the recipient and ask them to delete the email and confirm the same in writing? This may depend on whether you have mistyped the email address and know the identity of the recipient.
You also should consider whether any attachment containing personal data is encrypted and password-protected, meaning that data is unlikely to be compromised and the risk of harm is lower.
The lost device
Another common data breach is losing a device such as a phone or laptop which holds personal data. This is very common and we recently advised a client in a situation where one of their employees had lost a laptop on the train and personal data was saved to the laptop’s hard drive.
The client could not determine whether the laptop was password-protected and we advised them that, in this case, they should report to the ICO because of the type and volume of data that was saved on the hard drive and their inability to safeguard the data.
If this happens to your business, the device may or may not be compromised and you will need to assess the security measures in place to protect the data. For example, is the device password-protected? Does it use two-factor authentication? Is there any personal data stored on the device’s hard drive or is personal data only accessible through a portal? Can the device be disabled or information deleted remotely?
The answers to these questions will help to determine your reporting obligations – but advice should be sought when making this decision.
Five top tips for avoiding and dealing with data breaches
- Security and IT infrastructure: Invest in IT infrastructure and ensure that the security measures and processes are adequate to the risk by conducting privacy impact assessments. Ensure your IT team or external provider has appropriate security measures in place. Meeting and checking accreditations – such as Cyber Essentials and ISO 27001 – are good places to start. Failing to have appropriate measures in place could mean that you are liable for a substantial fine in the event of a breach.
- Insurance: Review insurance policies and check what you are covered for. New and emerging risks, including cyber attacks, are not always covered in traditional policies and you may require separate cyber-specific insurance.
- Review your controls: Simple measures such as removing the auto-populate email function can lead to a substantial reduction in misdirected emails.
- Breach identification and reporting: Have a procedure in place and practise “dry runs”. Train your staff to report, and not hide, mistakes.
- Advice: Seek advice at the earliest opportunity to help you identify the required and remedial steps to take.
Andrew Jerrard and Guy Cartwright are lawyers in Coffin Mew’s commercial & intellectual property team