Data Breach Agony - How to limit the likelihood of eye-watering fines

Over 50% of medium and large UK businesses reported suffering a cyber security breach or attack in the twelve months between April 2022 - April 2023, and over 20% of those businesses said they experienced a breach or attack on a weekly basis.

The recent spate of high-profile data breaches has brought security incidents to the forefront of many businesses' minds and the incidents highlight that no sector is immune to the effects of a data breach. Every organisation now holds personal data in some form, from retail giants to charities and police forces to pension funds, and in today's digital landscape data breaches are an inevitability which organisations must be prepared to address.[1]

The detrimental impacts of a breach can be significant for any business and include hefty financial penalties long-term reputational damage and the risk of individual claims and class actions. Under the UK GDPR a business can be fined up to £17.5 million or 4% of annual worldwide turnover (in the EU this is €20 million or 4% of global annual turnover). The repercussions are eye-watering for any business, however we have used our expertise to bring together a range of legal and practical steps any business can take to prepare for and mitigate the impact of a data breach:

• Familiarise yourself with your organisation's legal obligations - when a personal data breach occurs, UK law generally requires an organisation to report it to the Information Commissioner's Office within 72 hours. If you deem the breach to be high-risk, affected individuals must also be notified. If you are a data processor, and you suffer a data breach, then you must inform the relevant controller without undue delay as soon as you become aware of the breach.

• Carry out rigorous security audits of your suppliers (both at the outset of the relationship and on an ongoing basis) – threat actors are increasingly seeking out vulnerabilities in businesses' supply chains, particularly targeting those companies which provide services to customers who are likely to hold sensitive or confidential information. UK entities are legally required to carry out due diligence checks on their suppliers and any contracts must include an obligation on the supplier to implement and maintain appropriate security measures and to notify the customer if its data is affected by a data breach.
• Ensure you have contractual protections with suppliers, such as warranties regarding how your personal data will be processed and handled and indemnities against claims and costs (including regulatory fines) arising from the breach.
• Regularly audit and invest in your organisation's IT security systems to identify and patch any vulnerabilities.
• Provide frequent staff training, including through mock phishing tests - employees continue to be the most common root cause of cyber-attacks.[1]
• Review your organisation's operations globally and catalogue all relevant breach notification laws and regulators to ensure that you can comply with local breach notification requirements. Depending on the nature of your business and the countries it operates in, regulators may include data protection authorities, financial services regulators, cyber-security agencies and even national banks.
• Implement an incident response plan, clearly defining the roles for stakeholders including PR, legal, regulatory, privacy & infosec teams.

Preparing for and managing a data breach can be a daunting task. If you would like to speak to one of Fieldfisher's data breach experts, or register for a free demonstration of the Data Breach Manager Service, please get in touch via Fieldfisher's website.

With thanks to Solicitor Tom Moody, author of this article.