Data loss - liability, reputation and mitigation of risk
With an increasing
number of security breaches hitting the headlines, there is, unsurprisingly, a
growing awareness amongst regulators and the public alike of data security
The risks to
businesses of being involved in a data loss incident are high. Criminal
sanctions under the Data Protection Act are well established, but other
regulators like the Financial Services Authority (FSA) are also willing to flex
their enforcement muscles. In the last three years, the FSA has levied
substantial fines against several of its members for security breaches.
Bad publicity is
another potentially lethal sanction. A recent study by Ponemon showed that 31
per cent of respondents terminated their relationship with an organisation on
receiving notification of a breach of data security.
Finally, where third
party suppliers are dealing with data, security breaches can lead to
termination of their contract and liability for losses incurred.
Mitigating legal risk
which third party suppliers handle customer data should provide for clear lines
of responsibility. It is ultimately the data controller's responsibility to
ensure that its suppliers treat data carefully, but the supplier will also
require their assistance to minimise damage if a breach should occur.
- clearly spell out each party's responsibilities - security
measures should be specific and clearly identified (ie within a security
schedule) and should be achievable
- set out some basic
controls in the event of a data loss or breach - the parties should co-operate
to prevent further damage
- have indemnity and
termination provisions, which specifically address the issue and the
consequences of data loss on the supplier's part
- contain specific
provisions for press statements to be mutually agreed so that neither party can
depict the other as the scapegoat.
should have robust data security measures. In particular:
- human and operational controls - to ensure effective training
for all staff who handle the customer data so staff clearly understand what
their responsibilities are. (This is particularly important where a third party
supplier is handling the data of individuals on behalf of different customers,
who may have different policies and needs.)
- technical measures -
which must be robust and backed up by an audit trail to demonstrate that they
are tested and effective for the specific data and contractual requirements.
(For example, protective measures such as access control (ie passwords),
firewalls and encryption where appropriate should be fit for purpose.)
Instant and intense
media scrutiny can be expected in the event of data loss so businesses should
plan in advance how the situation will be handled.
- You will need to establish the exact facts very quickly and
present a coherent explanation showing that you are in control.
- If there is doubt as
to what has happened, you are entitled to prevent the media pointing the finger
until the facts are clear.
- Be careful about
blaming a third party - check whether you are contractually entitled to do so
and consider the risk should you be wrong.
If it is clearly
your fault, a prompt public apology combined with a clear explanation as to how
you will mitigate any damage caused may be the most effective way of defusing
This article is reproduced from Eversheds e80 service. You can find out more about Eversheds e80 and search the Eversheds e80 archive at www.eversheds80.com. e80 is provided by Eversheds for information purposes only and should not be regarded as a substitute for taking legal advice. It is reproduced here by kind permission of and is © Eversheds.