[BreachExchange] Deal with data risks in the boardroom or pay in the courtroom

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 22 18:59:16 EDT 2018


The GDPR, which will apply from 25 May, heralds a power shift away from
companies, whether data controllers or data processors, towards data
subjects – ordinary people, clients and customers.

Much has been talked about the need for senior management 'buy in' to the
many GDPR compliance projects ongoing in businesses. Less has been spoken
about the consequences that will unfold before the courts for the
organisations that are not in compliance.

If a customer or employee believes that their personal data rights have
been infringed by a company, whether as a controller or processor, then
they can go to court to seek various orders and, importantly, they can sue
for compensation. Others affected by the fallout will potentially also have
a cause of action, for example a spouse whose partner became ill from the
stress or a journalistic source that gets exposed in a data breach.

So whilst GDPR introduces the potential for much greater regulatory fines,
those are not likely to be the fallout that puts a fault-line in a
company's finances. Instead, the new 'data protection actions' that
ordinary people can bring will do that.

Once proceedings are issued it won't be long before a forensics team hired
by the opposing lawyers will be pouring over the internal corporate
workings. Any idea of 'quick fixing' compliance will not work. Efforts to
do that will be seen for what they are and will likely just increase the
damages to be paid.

Data protection actions will be treated legally like other 'torts' – acts
of infringement that incur legal liability. This is important as it is
likely that the other side will be entitled to relevant and necessary
document discovery – so how your company complies with GDPR will be on
public show in the courts, and therefore potentially in the media.

It is going to become clear pretty soon which companies have competence in
dealing with personal data and which ones cannot be trusted. The new
enforcement regime will sweep all this information into the public domain.

When corporate governance is functioning properly it ensures that companies
have the systems and controls in place to manage the flow of information so
that they can make the right decision at the right time. An effective
system of corporate governance requires: leadership; independence;
competence, and; challenge. Of these, competence is 'king' and an
understanding of the new GDPR enforcement regime is therefore vital for a
board and senior management to ensure effective compliance within their

There are many potential infringements of GDPR that could give rise to a
data protection action, including data breaches. The regulatory fines for
data breaches are at the lower threshold, reflecting the fact that breaches
do and will happen.

However, there will be mandatory notification to data subjects where there
has been a data breach that poses a high risk "to their rights and
freedoms". You have to assess that risk objectively and make a detailed
written record of how you went about it. Mandatory reporting is a game
changer because once the individuals concerned are informed about the data
breach it can lead to them – and others damaged by the breach – issuing
data protection actions. In Ireland, you will also have to inform the
Office of the Data Protection Commissioner (ODPC) if the breach poses a
risk – not necessarily a high risk – and do so within 72 hours, so it will
all happen in a whirlwind.

Data breaches are typically categorised into three types.

A confidentiality breach is where there is an unauthorised or accidental
disclosure of, or access to, personal data. An example would be emailing
personal data to the wrong group of individuals, or giving access to third
parties without a legal basis for doing so.

An availability breach is where there is unauthorised access to, or
destruction of, personal data. An example would be an infection of
ransomware, or misapplying a data retention policy and erroneously deleting

An integrity breach is where there is an unauthorised or accidental
alteration of personal data.  An example would be changing someone's health
records accidentally or without authority.

There could be a cause of action against an organisation on foot of any of

GDPR provides that "any person who has suffered a material or non-material
damage as a result of an infringement… shall have the right to receive
compensation from the controller or processor for the damage suffered".
There is a lot in those three lines.

Firstly the term "non material damage" covers non-financial damage, such as
personal distress. Secondly, the right to compensation extends to "any
person" – arguably both to a natural person and to a corporate entity.

Thirdly, the right to receive compensation is from the data controller or
processor and so joint liability and several liability applies. That is why
contracts between data controllers and processors are vitally important in
addressing the issue of risk apportionment and indemnification in these
scenarios, particularly if you are contracting with a party outside the EU.

So what can you do to hedge these new risks arising under GDPR? Here are
four steps that I recommend you take.

- GDPR exists to safeguard personal data, so good back-up procedures are
essential. Where are last week's back-ups for your company? Do a spot
check. Ask for them tomorrow and don't take no for an answer. Unfortunately
many senior executives only find out they don't have back-ups when they
absolutely need them.
- Your IT systems should automatically log the movement of data so that you
are in a position to quickly investigate what may have gone missing or been
compromised, when and by whom. Ask for a demonstration as to how your
business achieves this outcome.
- How comprehensive is your cyber insurance? Will it cover claims falling
under data protection actions or fines by the regulator? Make sure it is
sufficient. For example you could have on-going functionality issues during
and after a ransomware attack, so you may want insurance to cover losses
whilst getting the business fully operational again.
- Make sure you have access to all the expertise you need on a 24/7 basis,
365 days a year. Besides IT and insurance support, you will also need
urgent legal advice. Seeking this early on may mean that your internal
communications attract legal privilege – otherwise they could potentially
be discoverable to litigants later.

Corporate reputations can be easily lost and are extremely hard to restore.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180522/0ac6e2dc/attachment.html>

More information about the BreachExchange mailing list