Barely a day passes when there is more news of another data breach. In the digital age, information is like money and therefore worth stealing. The threat is more important than ever when information that is valuable is handled without due care it can easily be intercepted and be spread around the world to large numbers of people with ease.
We are at the start of understanding the extent of the financial liabilities in this area as cases such as the massive Yahoo breach work its way through the system. To get a sense of the scale of possible liabilities see the Yahoo class action suit here
I recently took part in a cyber attack simulation session and it was interesting to hear reactions of a number of business owners around the table share their experiences in this area. The typical responses to such threats generally fell into three categories
- Do nothing and blame the IT people if there is a data breach (most common).
- Do something (get it minuted) and blame the IT people if there is a data breach.
- The experienced IT people persuade the Directors / Board to invest in a smart bit of kit that generates amazing graphics, goes ping a lot and then blames the vendor of the kit that looks good and goes ping if it goes wrong. Job done and blame shifted nicely.
Joking aside, it is clear that as business leaders liability for any data breech is ultimately the responsibility of Directors and the Board of a Company. Surprisingly this comes as news to some but Directors have always owed legal duties to companies of which they are Directors. The Companies Act 2006 codified these into seven separate duties.
Two of the duties are particularly relevant;
Section 172 – duty to promote the success of the company.
Section 174 – duty to exercise reasonable care, skill and diligence.
Under 174 in particular the high profile nature of cyber risk is likely to make it necessary, to meet the test of reasonableness, that proper care is taken to protect information.
Beyond the fairly general duties of the Companies Act we also have the Data Protection Act which is soon to become the General Data Protection Regulation (GDPR). The Data Protection Act (and its 8 core principles) is the key legislative framework in the cyber area and with the new GDPR coming into force next year the maximum fines are rocketing from a maximum of £500k to 4% of turnover.
Section 61 of the Data Protection Act (DPA) makes it clear that when an offence under the DPA has been committed and it can be attributable to the neglect of a Director then “he as well as the body corporate shall be guilty of that offence”.
Potentially therefore could Directors be liable for up to 4% of the turnover of the companies they work for under the GDPR?
The Information Commissioners Office (ICO) seems keen to ensure that data protection and its sub-set of cyber security become a mainstream board issue and therefore when the next TalkTalk happens it may well not be enough to point the finger at the IT people, say you can barely switch on a computer and rapidly exit stage left.
Directors of companies which process sensitive personal data (which includes CCTV) are going to need to take a much more robust approach to personal data management and cyber risk under the new GDPR regime to avoid finding themselves exposed personally.
Some simple steps to reduce liability for Directors could include;
- Have a data protection officer who understands the risks and regulatory framework.
- Have a simple written data protection and cyber policy regularly communicated and updated.
- Insist on an independent digital audit to check for glaring weaknesses and vulnerabilities across all 8 principles of the DPA – not just security.
- Ensure extra care is taken with any sensitive personal data.
- Independently audit your data supply chain / hosting providers.
- Don’t collect data you don’t need. You may be building a bigger liability than asset.