A great deal has happened in the cyber and corporate and personal data risk space since our Managing Director, Elliot Shear addressed corporate risks and director’s statutory duties at a summit in Washington D.C. on a prestigious cyber panel alongside representatives of the FBI and SEC in mid – 2107.
We have seen cyber-attacks developing at a considerable rate; Petya, Wannacry, Stuxnet and Bad Rabbit viruses have impacted targets around the world in over 150 countries and affecting thousands of businesses and millions of people. These attacks have escalated to a point that some commentators refer to this as the start of cyber-wars. Collateral damage has been incurred by hospitals, health services and universities as well as other essential systems in countries remote from the immediate conflicts between Russia and Ukraine; between North Korea, Iran and other nations.
Last year, we saw a major data breach at a UK retailer, Morrisons, by a rogue employee. Importantly, Morrisons itself was held vicariously liable by the High Court for the breach as there was a sufficient connection between the actions of the rogue employee and the “course of his employment”. The Court of Appeal has recently upheld the initial ruling.
Another example of a major breach occurred this year with British Airways. The airline informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and bank codes. Under the GDPR, firms can be fined up to 4% of turnover, which in BA’s case, this could amount to £500 million. In fact, if the airline’s parent group, International Airlines Group (IAG), is held accountable instead, the maximum fine could be even higher. There are also allegations that BA is liable to compensate for non-material damage under the Data Protection Act 2018, the UK’s implementation of the GDPR.
In 2017, the National Health Service Data service was breached as an indirect result from the WannaCry virus. At least 6,900 NHS appointments had to be cancelled, and up to 19,000 patients were affected in total, after staff were forced to resort to using pen and paper when they were locked out of computerised systems, the attack impacted computers at hospitals and GP surgeries across 48 NHS trusts.
The ICO recently fined Facebook, after it was revealed that data had been misused by Cambridge Analytica, the then maximum fine of £500,000 under the Data Privacy Act 1998 (DPA). This breach occurred before the commencement of the GDPR and the Data Protection Act 2018, and so the DPA 1998 was applied. Another firm linked to the Facebook data handling breach, the Canadian firm, Aggregate IQ, in October 2018, became the first organisation to be fined under the new post-GDPR regime. Data of up to 87 million Facebook users was wrongly accessed leading the ICO to impose a fine of £ 17million. This shows the willingness of the ICO to impose fines when breaches of a severe nature occur.
New Risks and Regulations
The new data control regulations are impacting all firms; organisations such as sporting and charitable groups and all directors; business leaders; trustees and staff members who need to be aware of their responsibilities and properly trained to meet the new regulations.
These new risks and regulations are just one aspect of a broadening array of new regulations, much of it targeted in recent years towards addressing risks and concerns in the financial services area. These new areas include the new MiFID 2 controls; tighter controls over money laundering and tax related offences as well as new sanctions to address security; military and political global concerns.
New heightened liabilities for directors and senior managers in financial services result from the Senior Manager and Certification regime in the UK financial world. This regime is already applying to banks, insurers and is now expected to be extended, in 2019, to asset managers and other FCA authorised firms. Directors and officers could find themselves personally liable for an attack against their firm if they have not complied with their extensive responsibilities relating to the prevention and management of a cyber event.
Corporate liability, extending to the individual director in terms of criminal, civil and professional liability has been growing in recent years to encompass offences in areas of bribery, corruption, mishandling of data and tax evasion.
Where W Legal can assist
As a boutique corporate and commercial firm with specialist advisers and litigators, we are well placed to assist in analysing corporate risks; directors’ burgeoning duties; new data tools; financial products and risks – from blockchain to cloud network attacks and to assist when regulators are involved and when litigation takes place – civil and criminal.
So, in summary, where do the principal risks stem from in these changing and ever more regulated times?
The introduction of these new enhanced protections for personal data has meant that for those engaged in data control and processor functions, they need to be far more focussed on identifying the data that is held and where, as well as the functions being carried out and third party handling of the data; notifying and responding to dataholders; dealing with subject access requests and transfers of data across borders. There are large potential fines and impacts on business models from data loss; data attacks and breaches.
Vulnerabilities exist in terms of controls over identity management of those accessing devices and systems; establishing safe systems that can detect and resist external attacks; mitigate the problems where devices are lost or compromised and the need for controls over the large amounts of data that now flow through networks and associated cloud storage.
In many ways, data protection laws are still in their infancy as internet shopping; social media; cryptocurrencies; distributed ledgers; robo-advice (particularly in the investment world); remote and artificial systems are increasingly introduced. On the other side, the incidence of cyber-crimes; electronic frauds; hacking of systems and introduction of viral attacks and data plundering grows all the time.
Our law firm, working in conjunction with specialist IT groups, can provide comprehensive analysis and advice on these risks; measures to contain them and achieve compliance as well as what to do when a breach occurs or when an attack has taken place or when regulators have identified weaknesses in the organisation’s data, financial or other systems.
Please do not hesitate to contact our team of regulatory and corporate legal experts.