Foundation of the Information Commissioner’s Office and the first Data Protection Act in 1994, introduced a regime that has considerably strengthened the rights of the individual and limited the extent that their personal data and critical financial information can be disseminated to third parties. The law has continually evolved to embrace new threats such as the emerging cyber threats.
There has been an on-going emphasis on reinforcing the principles of safeguarding an individual’s personal information, with many more Data Protection Acts aimed at ensuring that businesses and organisations take the appropriate steps to prevent any breaches. However, this has not always been achieved and as globalisation increases, there have been some astounding breaches leading the regulatory authorities issuing hefty fines.
Philip Hooley, a partner, commented “the regulatory consequences of a data breach can be extremely costly in that the fines issued by the Information Commissioner’s Office (ICO)are stringent and intended to deter any future lapses. The ICO has the capacity to issue fines of up to £17.5 million or 4% of the annual worldwide turnover of a business, whichever is higher, depending on the severity and extent of the breach.” Philip further commented “businesses also have a duty to prevent cyber-attacks against their customers and monitoring such events is included in the duties of both the ICO and the Financial Conduct Authority (FCA) together with the National Cyber Security Centre (NCSC) which is part of the Government Communications Headquarters (GCHQ) and formed from a number of pre-existing organisations. The NCSC is the UK’s technical authority on cyber incidents. The fines for inadvertently permitting a cyber-attack are equally stringent. Businesses must devote time and effort to ensure that they do not fall foul of either risk.”
The latest organisation to have exposed their customers to a data breach is Air Europa, based in Mallorca, on 10 October the airline emailed customers to inform them that a data leak had led to their payment information being revealed and urging all customers that had paid for their flights by a credit or debit card to cancel the card to avoid the potential for fraudulent use of their card. The breach occurred the previous August. British Airways was also fined by the ICO for a data breach to the tune of €22 million due to a data breach exposing the personal data of over 400,000 passengers. Amazon, T-Mobile, Meta, TalkTalk and Equifax have all been fined for similar issues. In the cases of British Airways, TalkTalk and T-Mobile, they suffered considerable reputational damage. The CEO’s paid a price in losing their jobs in the case of Target and Equifax in the US and it may have played a part in the case of Dido Harding resigning from TalkTalk a few months after the breach, although she has denied that.
How the regulating bodies assess the amount a business will be fined largely depends on the level of negligence exhibited by the company. If it can be demonstrated that all possible steps were taken to protect customers’ data and that they reported the breach immediately and informed their clients immediately, there may be a more benign consequence. Companies that are fully committed to improving their data security, or can demonstrate that the breach was unforeseeable, or as a result of a third party error may also be looked on more favourably.
However, if it is discovered that there were inadequate security measures and a lax attitude exhibited by those that are in charge of managing the data protection of clients, the fines may be higher. Additionally, if it is discovered that a company has a history of violations of the data protection laws they will almost certainly face a larger fine.
Reputation Damage
There are further consequences when a business fails in its responsibilities to protect its clients’ personal data, in that the company’s reputation will be severely impacted. Negative publicity and social media backlash can exacerbate this.
New customers always have a choice and will lose trust in an organisation that has endangered its clients in such a way. The extent that existing clients will consider re-engaging with a company that has exposed its clients, depends on the extent and nature of the breach. It is possible that as a result of the breach the brand may suffer a permanent taint.
Reputational damage will also be suffered from a cyber attack which may lock up a business’ client files and work, preventing them from operating until a ransom demand has been paid or the block otherwise removed. The position may be worse if records are lost or destroyed.
Additional Financial Burdens
Apart from the eye-watering fines that the regulatory bodies can impose on a company, there are further financial setbacks relating to the costs involved in investigating the breach and remedying the situation by additional security measures to mitigate future risks, such as upgrading security systems, hiring cybersecurity experts, and more diligent ongoing monitoring and training. Doubtless their insurance premiums will also rise.
All of the above costs will be experienced in a cyber attack, as well as possibly paying a ransom to release systems and experts in trying to unlock the data or recreate the systems lost or destroyed.
Business Disruption
Dealing with a data breach will be time-consuming and will inevitably disrupt normal business operations. Companies may need to divert resources and staff to take the steps needed to investigate and control the breach. Shareholders may see a drop in the company’s stock value following a data breach resulting in the company’s financial performance being affected. It is possible that businesses within your supply chain may reconsider their partnership with a company that has been found in breach of the data protection law. Again all of these factors are exacerbated if there is a cyber attack that locks up or destroys the company’s systems including its work and client records.
Legal Consequences
A company whose breach of the data protection laws impacted severely on their clients may be subject to a civil lawsuit claiming damages for financial losses arising from the breach. As it is very often the case there may be large numbers of individuals that are seriously affected, this could give rise to group litigation in some circumstances. In the event of an egregious breach involving misconduct by the executives or other employees within the business, criminal charges may also be brought. Officers may also lose their positions.
Giambrone & Partners commercial litigation lawyers can advise on all aspects of the consequences of data breaches and cyber-attacks, including civil and criminal actions.
Philip Hooley Philip Hooley is a highly experienced commercial litigator having worked in the legal sector of the City of London for twenty-five years advising on commercial disputes in various industry sectors ranging from traditional IT to digital transformation, cyber security and Artificial Intelligence (AI), technology, insurance and reinsurance, financial services, professional negligence, pharmaceutical, insolvency and energy for organisations based in the UK and overseas.
He also advises on the management of multifaceted claims in various jurisdictions providing technical strength and commercial awareness of cultural differences in cross-border matters.
Philip’s experience extends to extremely high-profile cases valued at in excess of one billion dollars for organisations that are household names. His clients value his astute ability to secure favourable outcomes for complex disputes at the pre-action stage where possible. Should this be unavoidable, he is a robust litigator and brings strategic insight to each case.