Held to Ransom

In July last year, the gaming activity of millions of Clubillion players around the world was leaked to the press, and in January this year the details of over 500,000 Betway customers were sold following a malicious hack. Traditional ‘heavy industries,’ meanwhile, are not immune. Hacker group DarkSide grabbed headlines in the spring this year following an attack on Colonial Pipeline, which caused gas shortages in parts of the US.

Colonial Pipeline ended up paying a $4.4m ransom to get its pipeline back online. More recently, JBS, the world’s largest meat supplier, had to shut down parts of its operations as a result of a ransom ware attack, leading President Joe Biden to confirm he had contacted the Russian Government directly about the cyber attacks. Although ransomware and other cyber security incidents are on the rise (a recent US federal inter-agency report estimated there were over 4,000 a day in the US), a look at the most recent statistics published by the UK’s Information Commissioner’s Office (ICO) shows 659 data breaches and 1,766 non-cyber security incidents being reported quarterly.

While cyber security incidents are more likely to have more significant consequences for both data subjects and businesses, non-cyber security-related data breaches are more likely to occur and could still lead to significant issues. The ICO data points to 676 incidents of emails being sent to the wrong person or posted to the wrong address. Information could easily end up in the hands of a competitor or, worse, being handed to cyber criminals as part of a phishing attack.

What do we do when an incident occurs?

When you suffer a data breach or cyber security incident, time will not be on your side. Trying to deal with an incident on the fly will, almost inevitably, lead to mistakes. So a plan for dealing with a data breach or cyber security incident is a crucial first step. There is no one size fits all approach. Each business is unique, processing different types of personal data in different ways, using different systems and infrastructure, so will need a plan tailored to its particular needs.

However, many plans will have common components:

1. The identities of the team responsible for dealing with incidents, including any external advisers.
2. An initial triage process to establish if immediate damage limitation is needed. Not all incidents are equal, some may require immediate action, such as temporary suspension of services or websites.
3. A further process to fully assess the extent of the incident; in particular, what personal data has been compromised (including whether it includes special category personal data) and whether it has been leaked to a third party.
4. Once the extent of the incident is known, what steps will be taken to manage it, including where third parties need to be notified. Depending on the severity of the incident, the following may need to be told:

а. The ICO within 72 hours of becoming aware of a personal data breach, and the data subject without undue delay.

1. The Gambling Commission (or equivalent regulator) if the breach adversely affects the confidentiality of customer data, or prevents legitimate users from accessing their account for more than 12 hours, within five working days.
2. Your insurer, which may refuse to pay out if not notified promptly.
3. Relevant staff; in particular, any staff that might be dealing with direct enquiries about the incident, so they know what to say to affected data subjects.
4. In the event of a serious incident, a PR consultant to mitigate any potential reputational damage.

When you suffer a data breach or a cybersecurity incident, the response should then be simple: follow the plan!

Minimising the risk and impact of a breach

Further, there are steps businesses can take to minimise the risk an incident will occur, or limit the impact of any potential incident:

1. Keep all software up to date, apply security patches promptly.
2. Install anti-virus and anti-malware software, and maintain it with the latest virus and malware definitions.
3. Make regular back-ups, and ensure these are kept separate from your network and systems.
4. Ensure you have adequate network security measures in place, and, increasingly given the rise in home working during the pandemic, effective security to allow staff to work at home securely.
5. Implement suitable email monitoring systems so you can track unusual activity.
6. Limit the information that staff can remove from your IT systems and consider what methods they should be allowed to use to do so.
7. Control access to sensitive documents and personal data so that only those that need to process it have access, and can only process it to do their job.
8. Train all staff on data protection and cyber security, including how they should respond if they become aware an incident has occurred in accordance with your plan.
9. Test your cyber security plan and security measures regularly, and update them to make improvements that have been identified as a result of testing them.
10. Consider specific insurance for cyber security incidents.

What are the consequences? The rise of no win, no fee

While the regulatory fines for failure to comply with UK GDPR (up to £8.7m/$12.3m, or 2% of worldwide turnover, whichever is greater) are significant, the costs of dealing with a potential investigation by the ICO could also be damaging. Equally, a data subject can take direct action to recover any losses suffered as a result of the incident. 

In recent months, we have seen an increase in individuals and businesses approaching us for advice; on claims for damages being made by data subjects using claims management companies or no win, no fee law firms, for losses arising from data breaches. The firms involved tend to be the same firms that have been active in bringing claims for PPI mis-selling in recent years. While PPI mis-selling claims generally involve financial institutions with insurance cover or deep pockets, claims for data breaches can affect any business of any size – and in any sector.

A lot of these claims assert that the data subject is entitled to compensation as a result of the Court of Appeal decision in Lloyd v Google; in which the Court held that there was no need for the data subject to prove actual loss where there had been a loss of control of personal data. However, the Court also held that there was a de minimis threshold below which a claimant still has to prove actual loss, in relation to “an accidental one-off data breach that was quickly remedied.”

Many of the claims being brought by such firms will sit below the de minimis threshold, but there are traps that data controllers can fall into. For instance, settling a claim (to avoid further costs and expenses) without including the data subject’s legal costs as part of the settlement; this could then lead to a disproportionate bill for the data subject’s legal costs. Getting good advice about dealing with such claims at an early stage should prove invaluable. With cyber attacks and breaches it’s not if but when; so be prepared to avoid being held hostage.

Carl Selbyis a Partner in the technology practice at Royds Withy King. He can be reached by email: [email protected]. Visit www.roydswithyking.com