Data security breaches are much in the news, with brands such as Mossack Fonseca, TalkTalk, Ashley Madison and Sony Playstation gaining unwelcome notoriety.
Data security breaches can put individuals at risk and cause them loss; they also expose the company to claims, fines and other potentially very serious consequences.
Aside from the potential substantial damage to the brand and goodwill, the importance of cyber security is heightened with key legal developments such as:
- The new General Data Protection Regulation (GDPR) coming into force in May 2018 which provides for substantial fines for non-compliance with data security requirements of up to 2% of annual worldwide turnover or €10 million, whichever is greater.
- While there is currently no legal requirement to report data breaches, allowing many breaches to go under the radar, as from May 2018 there will be a legal requirement to report a data security breach.
- The Courts have decided that damages can now be awarded for breach of privacy even where no financial loss was suffered, and also the amount of damages being awarded is increasing substantially.
This is, therefore, no longer an issue for IT departments, but must be on the agenda for every Board of Directors.
How can we help?
We work with clients on data protection compliance and to manage cyber security risk. We can help with the following:
- data protection compliance audit to identify areas where greater compliance may be needed and where cyber risk can be mitigated;
- drafting information security policy, data breach response procedures;
- reviewing data processing and data transfer agreements, including apportionment of liability by limitation and indemnity clauses;
- due diligence on service providers or acquisition targets;
- provision of data protection training to staff.
In the event of a data security breach incident we can provide rapid legal support to mitigate risk:
- compliance with reporting requirements, (FCA, PCIDSS, ICO);
- communications to data subjects, service providers and other stakeholders;
- defensive regulatory actions, where necessary drawing on the expertise of our business crime team;
- handling claims involving data subjects or service providers;
- complementary expertise – technology, financial services, corporate governance, business crime, employment, litigation.