Data security breaches – is silence a virtue?
5 min read
15 April 2015
If an organisation loses your personal data, would you expect them to tell you about it? The media’s appetite for reporting stories of laptops lost on trains and cyber criminals’ ever more sophisticated hacking techniques is a reflection of the increasing importance of data security to consumers and corporates alike.
If an organisation has failed to keep data secure, it seems that the public wants to know about it. However, under English law not all organisations are obliged to report data security breaches when they happen.
Legislation currently in force only obliges providers of “public electronic communication services” (i.e. internet service providers (ISP) and telecommunications operators) to come clean should they suffer a data security breach.
This reporting obligation is primarily to the Information Commissioner’s Office (ICO), rather than to the individuals whose data has been compromised. ISPs and telecommunications operators only have to directly notify an affected individual if the security breach is likely to “adversely affect the personal data or privacy” of that individual and have the right to exercise their discretion as to whether such notification is necessary. Individuals also need not be notified if the ICO is satisfied that the compromised data was properly encrypted.
The vast majority of organisations are therefore under no legal obligation to disclose data security breaches. That means if a retailer or bank, for example, loses its customer data they are under no obligation to declare the fact. In the circumstances it is conceivable that some organisations would happily keep quiet should the worst happen in an attempt to prevent the reputational damage and loss of customer goodwill which inevitably accompanies publication of a data security breach.
However, despite the current lack of a blanket legal obligation to report data security breaches, keeping quiet is not without risk. Organisations need to be mindful that the ICO has the power to issue monetary penalties of up to £500,000 for serious breaches of the data protection legislation, regardless of company sector, and has historically reserved its largest fines for organisations which have suffered data security breaches.
Read more articles filed under law:
- Unaccounted intangible assets leave UK companies vulnerable to takeovers
- Gordon Ramsay’s row with father-in-law highlights dangers of family business
- Nearly all FTSE 100 members failing to secure cookies
ICO guidance states that all “serious” data security breaches should be brought to its attention. Given this stance, the ICO has considered swift voluntary disclosure of security breaches to be a mitigating factor in determining the amount of fines given to organisations which have failed to adequately protect data. This has been the case in three recent instances where organisations have lost live credit and/or debit card details of their customers. As result, Staysure.co.uk Limited was fined £175,000 in February 2015, Worldview Limited was fined £75,000 in October 2014 and Think W3 Limited was fined £150,000 in July 2014.
Failing to report a serious data security breach that subsequently comes to light is therefore likely to increase any fine issued by the ICO for that breach. In addition, the ICO is also likely to highlight the failure to report in the text of their monetary penalty notice, thereby increasing the reputational damage to the organisation concerned.
However, the legal landscape in this area is shifting. Proposed changes to data protection legislation at an EU level include a mandatory obligation for all organisations to report data security breaches. In addition, breaches of data security could attract increased fines of up to €100m or five per cent of the annual turnover of an organisation in default. Sadly (and somewhat predictably), EU member states are moving at a snail’s pace to finalise the legislation. Its finer points are currently being debated by the European Council and it may not come into force until 2017.
However UK companies should not rest on their laurels. Wise organisations will use the long lead-in period to tighten up their security procedures and reduce the chance of needing to report a data security breach in the future. Cyber-crime is a growing threat and is likely to become an increasingly regular feature in the news once the new law comes into force.
Andrew Solomon is a solicitor at Kingsley Napley LLP.