In view of the Equifax breach, how will the General Data Protection Regulation EU regulation affect UK businesses?
Equifax last week reported a severe data breach affecting 143 million people in the US, nearly half of the population. The breach is vast in terms of scale, with hackers obtaining access to full names, Social Security numbers, birth dates, addresses, driver's license numbers – all of which could be used to impersonate victims fraudulently. While the exact number is currently unconfirmed, reports suggest that the personal details of 44 million British people may also have been compromised.
Despite formal notification regulations not yet being in place across Europe, the Information Commissioner’s Office (ICO) announced that it would be advising Equifax to notify affected UK customers at the earliest opportunity.
This latest attack, one of the largest ever, demonstrates the need for businesses to prepare for the evolving cyber threat. While some companies may have overlooked the impact of new regulatory rules governing data protection coming into force next year, any firm that does business with individuals in the European Union is about to be faced with potential new liabilities that will affect their IT systems and cyber security responses. And as with Equifax, some of the new regulations may begin to affect businesses well before then.
The General Data Protection Regulation (GDPR) comes into force in the EU on 25 May, 2018 and it will affect UK businesses, irrespective of Brexit. The new regulatory framework has extraterritorial jurisdiction: it will load new cyber-security burdens on to any businesses which hold EU citizens’ private data.
So what do these new regulations mean? In a nutshell, EU businesses will from next year be required to notify the relevant authorities and potentially write to their customers following ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. This could happen, if, for example, a data breach occurs through a cyber attack, and it is highly likely to cause economic or social damage to the affected individuals (potentially, for example, if credit card details are stolen). Notifications must occur ‘without undue delay’, the regulations state, and failing to notify could result in a fine of up to €10 million, or 2% of global turnover, the ICO reports.
The requirement to notify customers that their data privacy has been breached can be an extremely costly administrative process, even before you take possible business interruption and reputational damage into consideration which could lead to a loss of customers and future business. In addition, the relevant authorities must be assured of the security responses made following the incident.
Worse, breach notification could trigger legal actions by affected customers. As class action lawsuits become increasing popular in the UK and the EU, a serious legal liability could arise. This could be exacerbated by a GDPR clause which states that individuals may claim compensation for non-material damages such as distress which may be suffered as a result of a data breach, as well as for tangible financial loss. This could result in higher costs for businesses than in the US where the courts often dismiss claims that are unable to prove a financial loss.
The best course of action, unsurprisingly, is to ensure that IT systems and associated security protocols are sufficiently robust, and staff adequately well briefed, to ensure that breaches do not occur. However, no amount of protection and risk management will render any IT system impenetrable (and claims of impenetrability are a red flag urging hackers to attack). Furthermore, no amount of employee training will entirely prevent employee mistakes.
For the times when the hackers succeed, Tokio Marine Kiln offers comprehensive insurance coverage which assists with indemnifying against GDPR-related losses, immediate cyber breach response and IT forensics; the cost of notifying customers and drafting the notification messages; all associated legal and public relations expenses; reputational damage including the potential loss of customers; and defences and damages arising from legal actions.
To learn more about TMK’s Cyber and intellectual property policies and services, contact: email@example.com