By David Cook, Senior Associate – Privacy and Cyber Security Compliance and Litigation at Eversheds Sutherland, and finalist in the Security Serious Unsung Heroes Awards.
It seems like barely a week goes by without a high-profile data breach being reported on the front pages of our newspapers. Hacking and cyberattacks appear to be becoming more commonplace and involving an ever-increasing range of wrongdoers: from vandals to nation states and terrorist groups.
The risk around cyberattacks has been magnified by new data protection and financial crime laws, at home and abroad, that have come into force in the last few years. They are generally backed by fearsome powers with which to hammer the non-compliant.
In the UK, cyber security around personal data is covered by the General Data Protection Regulation (GDPR). The Security of Network and Information Systems Regulations 2018 relate to cyber security of critical national infrastructure. Most industry or sector regulators are looking to tighten their oversight of security and regulatory expectation is evolving. The FCA has been particularly vocal in this space, setting an increasingly higher bar for financial services firms.
Enforcement risk
The ICO is now tooled up with greater financial penalties. Due to the GDPR, fines have been lifted from a maximum of £500,000 to an eye-watering £17m or 4 per cent of annual global turnover (whichever is the greater).They have also been given a larger budget with which to recruit a bigger team to investigate breaches and enforce the new laws. At the same time, the FCA has made good on its recent speeches about the importance of cyber security resilience and on 1 October 2018 it fined Tesco Bank an unprecedented £16,400,000 following an attack by cyber criminals.
For organisations with a European or global footprint the picture is even more challenging when a cyberattack occurs, with competing regulatory priorities creating their own risk, including the threat of financial penalties issued by multiple authorities.
Reputational risk
Reputational harm predominantly impacts in three ways: (1) customer loyalty is eroded or lost; (2) compensation claims are triggered (see Litigation risk below); (3) negative share price effects are felt.
By way of example of this last issue, in 2016 Yahoo publicly announced a historic data breach and suffered a 6.5 per cent drop in the value of its stock. Recent research has also suggested that for listed companies the aftershock of a cyberattack is felt long after the event, with share prices underperforming against a company’s peers for at least a year after details of an attack are publicised.
Litigation risk
Whilst litigation risk is rapidly evolving, in particular in relation to distress and inconvenience, the fundamental claims around data breaches are well-established in case-law. Of particular note is the recent case of Google Inc v Vidal-Hall [2015] EWCA Civ 311 where the court held that compensation for a data breach was possible with respect to distress alone.
Article 80 of the GDPR allows for data subjects to mandate a consumer protection body to bring compensation claims on their behalf. Indeed, in Various Claimants v WM Morrisons [2017] EWHC 3113 QB the first litigation under a group litigation order came before the Courts. The Morrisons case was brought under the Data Protection Act 1998 and shows the evolving landscape was in place before GDPR even came into force. In addition, the Financial Ombudsman Service (FOS) has indicated that it is gearing up its complaints handling teams for increases in volumes of claims for distress and loss caused by data breaches.
Historically, awards made by the FOS for distress have been low (under £500 per claim) but this still presents considerable risk where a data breach impacts thousands, tens of thousands or even millions of consumers. We therefore have a ripe breeding ground for a data breach compensation culture to generate.
What does the future hold?
Expect to see higher volumes of litigants with a clear cause of action and a motivation to seek compensation.
This will be coupled with acute regulatory enforcement risk and the clear reputational impact that tends to follow an attack. It is critical therefore that companies regularly rehearse their response to cyberattack to give them the best possible chance of mitigating those risks and the inevitable cost when – and not if – it happens.