‘How does an organisation maintain resilience when everything it designed and built was for a different way of working?’ asks DWF’s global head of data protection, privacy and cybersecurity, Stewart Room. As the world battles a pandemic, organisations around the globe are turning homes into offices and personal devices into office tools. The sudden change in the way businesses operate brings with it added cyber and information security risks, particularly via emails to spread malware, as workers in many organisations access confidential business data remotely.
As a result in-house legal teams are revisiting home working policies and keeping their private practice advisers busy. ‘I’m certainly being asked to give a lot more advice on homeworking policies,’ comments Bristows partner Robert Bond. ‘But the challenge is to strike a fair balance between the needs of the business versus the expectation of privacy in the home environment.’
Bad actors
Data breaches due to employee error, such as following auto prompts on emails or the failure to manage paper records properly are considered low-level breaches and will inevitably increase as many continue to work from home. The interception of confidential business information through phishing attacks is also a common threat. Another threat on the rise is so-called spear-phishing, targeted at executives and specific individuals within organisations that may occur in the form of a link in an email that installs malicious software used to steal data.
Industrial cyber espionage on a global scale is also a major risk for business. ‘It’s often nation state-sponsored organisations seeking business- confidential information in a form of cyber espionage, as opposed to the bad actors who are making mischief and socially engineering or downloading malware,’ says Bond.
‘In the last 12 months we’ve seen targeted, sophisticated intelligence-gathering ransomware attacks where the attackers have scoped out the organisation and have been inside the network for weeks or months,’ says DAC Beachcroft partner and cyber and data risk team lead Hans Allnutt. ‘They want to understand how to cripple the organisation and then demand high-level ransoms that are sometimes paid.’
The recent changes to working environments have further challenged in-house teams, who are finding it difficult to respond to the sheer number of low-level and advanced cyber attacks that have become common in the last five years, adds Allnutt. Organisations are therefore looking to increase employee monitoring and scanning tools that, although requiring some level of intrusive monitoring, are needed to preserve the confidentiality of data. However, the shift to remote working means in-house teams risk losing control of records management and will likely not have a centralised view of personal data or information as it is now on various devices and locations, notes Bond.
Organisations can mitigate risk with a combination of IT security, scanning networks, encrypting traffic but also by focusing on the human aspect and training employees on how to store and share data. The National Cyber Security Centre has advised that there should be more stringent homeworking policies during the coronavirus lockdown, with more focus on managing multiple devices and the risks around using removable media.
Another pressure point is the difficulty that often falls on in-house counsel to report data breaches to regulators within 72 hours of discovery, unless it is a negligible risk. This is beyond the obvious duty to report cases of high risk, with the cyber attack on British Airways a recent example and the Information Commissioner’s Office (ICO) beginning to take enforcement action on those that do not fulfil this duty. In July 2019 the ICO said it intended to fine the airline £183m for data breaches after hackers stole customer records and similarly the Marriott hotel group is facing a fine of £99.2m, although fines in both cases have been delayed until later this year. The main issue for in-house counsel is the need for clear guidance and protocols for when to report a breach and who to report it to.
Furthermore, the EU’s General Data Protection Regulation (GDPR) and similar style legislation have proliferated across the globe and are keeping in-house teams on their toes, including the California Consumer Privacy Act in the US and the yet-to-be implemented Brazilian general data protection law, the Lei Geral de Proteção de Dados Pessoais (LGPD). Large corporate groups are faced with the challenge of grasping the intricacies of diverse regulations that, if misunderstood, can carry severe financial penalties. Dentons global privacy and cybersecurity group co-chair Nick Graham reflects: ‘The key issue is the percolating of data privacy law across increasing numbers of jurisdictions with rules that say similar but subtly different things. The challenge then is how to comply and how to set the risk radar to identify jurisdictions likely to trigger higher enforcement risk. But it’s not just about enforcement risk; it is also about market practice in assessing risk levels.’
GDPR post-Brexit
According to a statement from Prime Minister Boris Johnson in February, the UK intends to seek ‘adequacy status’ from the European Commission by the end of the year – establishing the UK as an adequate jurisdiction for data protection, equal to the EU, enabling the continued sharing of personal data. ‘We want to be able to demonstrate that we are an adequate jurisdiction for processing data so that at the end of the transition period, the hope is that we will swiftly be given adequacy status so that it will be easy for personal data sharing to continue,’ says Graham.
If the UK does not receive adequacy status, then there is a possibility that it will be difficult for UK businesses to obtain personal data from the EU, which may trigger other mechanisms enabling organisations to access data, such as EU-style standard contractual clauses for data sharing. However, in practice, nothing about the UK’s data protection regime is expected to change immediately after the EU transition period.
Recent changes to how governments operate in the immediacy of Covid-19 lockdowns and emergency measures are viewed as aiding the UK’s quest for adequacy status. ‘The UK’s prospects for getting an adequacy decision have been increased, not lessened, by Covid-19,’ argues Room. ‘Every country in Europe is defaulting to a mass surveillance programme to enable the fight against the coronavirus. Everyone is turning into Big Brother and that gives less opportunity to criticise the UK.’ It is therefore likely that as a result of the pandemic, data protection breaches will be brought to courts around the world over the next few years.
The National Cyber Security Strategy 2016-2021 outlined the UK government’s intention to invest £1.9bn into the sector to protect businesses, leading to the establishment of the National Cyber Security Centre in 2016 and programmes such as Active Cyber Defence. According to a new report from the Department for Digital, Culture, Media and Sport released at the start of 2020, the cybersecurity sector has grown significantly in the past few years with over 1,200 cybersecurity businesses established since 2017. Overall, the sector is worth £8.3bn in total revenue, up by 46% from £5.7bn in 2017.
London is seen as an attractive place for cybersecurity outfits to set up and government initiatives, such as the Cyber Academic Start-Up Programme, HutZero and Cyber101 have encouraged this but the sector is struggling to attract the right talent, particularly on the GDPR side, where the pool of experts is limited. Typically, organisations have a cybersecurity technician and a GDPR expert – sometimes a lawyer – sitting separately, but finding individuals with experience in both is proving difficult. ‘It’s a challenge to find the right data protection/data security expert and one of the key questions is the extent to which you look for people who can advise on GDPR but also have cybersecurity technical skills,’ notes Graham.
In-house counsel are faced with new challenges around how to respond to cybersecurity and data protection issues in a year sure to be utterly dominated by the Covid-19 outbreak. The use and management of workforce and customer data is a key issue as good management practice and training will likely lower the risk of cyber attacks and data breaches. However, some organisations are currently relying entirely on technology and policies will need to be reconsidered to ensure the safe security of data and software as well as the devices from which they are accessed. It is clear that more reliance on remote IT support will complicate the ability of organisations and GCs to protect themselves just as their grasp on information has never been put under more strain. No pressure then.
The threshold – Key data protection decisions
Vidal-Hall & ors v Google [2015] determined that under data protection law, financial loss does not need to be shown to claim distress. The claim against Google centered around browser-generated information that was accessed by Google through cookies on Apple’s browser Safari. The information that was collected was then sold and used to target the claimants with relevant advertisements. The Court of Appeal held that data subjects can now bring a claim under the Data Protection Act on the grounds of emotional distress only. Since then, a few cases have attempted to lower the threshold of the number of people eligible to bring such an action.
TLT v Secretary of State for the Home Office [2016] concerned the published details of asylum seekers by the Home Office in October 2012. The data was published on a spreadsheet that identified individuals, six of whom claimed damages under the misuse of private information and breach of the Data Protection Act 1998. The case quantified claims using personal injury cases as a reference and set compensation between £2,500 to £12,500. The dispute also suggested that any personal data could lead to the identification of others, which means that claimants who are not named may also pursue damages under the DPA. The wife and child of one claimant – referred to as ‘TLT’ – also brought claims against the Home Office despite not being explicitly named. This is also supported by GDPR, which says that any person affected by data breach can claim compensation.
Richard Lloyd v Google [2019] was the most critical data protection case of last year. The former director of Which? brought a claim against Google under s13 of the Data Protection Act for tracking over four million Apple iPhone users through DoubleClick ad cookies by way of a ‘Safari workaround’, giving Google access to the browser-generated information. In October 2019 the Court of Appeal held that claimants that have ‘lost control’ of their data are able to recover damages. ‘As a minimum threshold, if you lost control over your personal data or privacy from a commercial partner taking it, then you should be entitled to some sort of damages. If you can be part of a group that has lost control then all of you can claim. It’s really a low threshold now because of it but we’re yet to see the quantification,’ says the head of DAC Beachcroft’s cyber and data risk team, Hans Allnutt. The case also demonstrates the trend of class actions in data protection cases. ‘When you have a data breach, you’re not only reporting that breach to the Information Commissioner and then being investigated by the Information Commissioner but you’re then going to have these class actions as a completely parallel and separate cause of action against you. You’re starting to fight on two fronts and then on top you’ve got the reputational issue, the loss of brand and the loss of trust,’ notes Bristows partner Robert Bond.
In WM Morrison Supermarkets (Appellant) v Various Claimants (Respondents) [2020] a significant case for the future of large data breach and privacy cases, Morrisons successfully defeated a group litigation claim following a decision by the Supreme Court on 1 April. The case centred on whether a company can be held vicariously liable for the actions of a single employee, after thousands of members of staff found their personal information disclosed on the internet by a rogue employee in the company’s audit team. The Court of Appeal had ruled that Morrisons was vicariously liable, with the implication that an organisation can be responsible for data breaches even if it has taken measures to comply with data protection legislation. However, The Supreme Court has reversed this decision unanimously, ruling the Court of Appeal had misunderstood the principles governing vicarious liability – in effect ruling that vicarious liability can still apply in data privacy cases but not where the employee has a clear vendetta against their employer.