Hacking, an Occupational Hazard for Business?

August 28, 2015

Carphone Warehouse has recently made a statement that personal details of up to 2.4 million customers may have been accessed in a cyber attack. In addition, up to 90,000 customers may also have had their encrypted credit card details accessed. The personal details accessed may have included names, addresses, dates of birth and bank details.

Also in the news is the theft of caches of data stolen from online ‘cheating’ website Ashley Madison. Data stolen reportedly included the company’s databases of registered members. Given the nature of the site’s services, it will be fascinating to see if many of its users formally complain notwithstanding the potential implications that such disclosure might potentially have on them.

Unfortunately the potential for hacking is now an everyday reality for the vast majority of us who conduct our business online. In addition to the potential breaches to systems and damage to reputation, these incidents may also entitle claims by individuals and enforcement action by the Information Commissioner for breach of the Data Protection Act 1998 (“the Act”).

The Act gives individuals rights in relation to personal information held about them and places obligations on organisations handling that information. Organisations handling personal data must take appropriate measures against unauthorised or unlawful processing. Data breaches can increase the risk of “identity theft” where an individual’s data is used fraudulently.

Failure to take appropriate measures to prevent hacking may lead to a civil claim by an individual affected by the breach and/or investigation and enforcement action by the Information Commissioner. The question of whether a data breach is actionable depends on whether it could have been prevented by taking reasonable measures in the circumstances.

There is also a supply chain risk. Contracting out services to persons who process your customers does not avoid liability. At the very least, organisations must scrutinize the security measures a third party provider has in place and satisfy themselves that those measures are adequate. Larger organisations, especially financial and other regulated institutions, are increasingly conscious of this supply chain risk and in turn are requiring service providers to sign up to extensive IT security protocols and IT audit rights all of which can result in serious contractual risk to the contractor if not managed appropriately.

The risks are clear. The Information Commissioner has the power to fine a company up to £500,000.00 if it has not done enough to protect an individual’s personal information. In January 2013 Sony Computers Entertainment Group was fined £250,000.00 for “serious breach” of the Act over a hack that authorities were of the view could have been prevented. Individuals can also apply to the civil courts. Whether a claim can solely be for “distress” caused by the breach is currently before the Supreme Court.

To avoid breach and minimise the risks of a claim and/or enforcement action by the Information Commissioner, organisations should consider the following along with implementing a policy to deal with data security breach:

  1. Containment of damage by isolating or closing compromised sections of a network and changing access codes. Backup records may also be advisable;
  2. Taking measures to safeguard data in proportion to its nature i.e. sensitive personal data is kept more secure;
  3. Notifying the Information Commissioner and affected individuals as soon as possible so they can take their own damage limitation steps;

Investigating the cause of breach and evaluating the effectiveness of the response. Consider putting further safeguards in place to include encryption or allocating responsibility to a particular individual within the organisation.

Michael King, Associate, Cleaver Fulton Rankin

This article has been produced for general information purposes and further advice should be sought from a professional advisor.