A recent survey by Comparitech has highlighted the long-term effects of a data breach. In addition to the harm caused by a breach to a company’s reputation, staff retention and sales, data breaches can have a lasting effect on the share price of companies too. The survey looked at the share price of 34 US-listed companies who had suffered a breach. It found that share prices fell by 3.5% directly after a breach but that the long-term effects were greater – average share price had dropped by 15.6% three years after a breach and the average company underperformed against the market by the same margin.
So given the long-term effects of a data breach are organisations trying to cover up breaches? And what happens when they do? Last year’s charges by the US Department of Justice (DoJ) against Uber’s former Chief Security Officer, Joe Sullivan, in connection with the cover up of a data breach that Uber suffered in 2016 gives us some indication of the way regulators are thinking.
Some technical terms are used in this note. If you are not sure what these terms mean you can use the glossary at www.bit.ly/gdprwords.
What happened in the Uber case?
Uber suffered a cyberattack in November 2016. The attack exposed data from 57m customers and drivers. According to Uber no financial details or journey records were taken by the criminals but they were paid $100k in Bitcoin to cooperate. The payment was disguised as a “bug-bounty”. Bug-bounty payments are normally used to identify small code vulnerabilities.
In November 2017 Uber’s new CEO made the breach public. He said he had only become aware of the breach and he had only joined the company in 2017.
What does the DoJ say?
The DoJ charged Sullivan with “obstruction of justice and misprision of a felony” in connection with the attempted cover-up of the 2016 hack. The complaint says that whilst Sullivan was Uber’s CSO two hackers contacted him and demanded a six-figure sum in exchange for silence. The complaint says that Sullivan took deliberate steps to conceal, deflect and mislead the Federal Trade Commission (FTC) about the breach. US Attorney David Anderson said “Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate cover-ups. We will not tolerate illegal hush money payments”.
It is important to say that whilst Sullivan has been charged he has not been convicted – as the DoJ has emphasised all defendants are presumed innocent until proven guilty beyond a reasonable doubt. If convicted, Sullivan faces a maximum penalty of five years in prison for the obstruction charge and a maximum three years in prison for the misprision charge.
What does GDPR say?
The provisions relating to information security continue to be one of the most talked about elements of GDPR. Prior to GDPR coming into force there were already data breach reporting requirements in some countries in the EU (for example in Austria, Germany and the Netherlands) and there were also EU wide data breach reporting obligations for some sectors (e.g. telecoms). GDPR however for the first time introduced universal mandatory data breach reporting requirements across the EU. And enforcement under GDPR has been significant. To date more than 750 fines have been levied under GDPR. Many, but not all, deal with the security obligations.
Under GDPR Art.33 most data breaches will have to be communicated to a regulator within 72 hours. Under GDPR Art.34 some data breaches also have to be notified to data subjects. There is also a general obligation to be transparent with data subjects about the way in which their data is handled in GDPR Art.5(1)(a). Pre-GDPR there had been cases in the EU where regulators interpreted the transparency obligation to include a duty to tell those potentially affected by a data breach of the breach. In addition, we are seeing a real rise in subject access requests and it is likely that most data breaches would have to be disclosed if a request were received. There are more details of the GDPR regime at www.bit.ly/gdprfaq.
How should we handle a data breach?
Regrettably, it is a fact of life that every organisation will have a data breach. With this in mind it is important to prepare. For most organisations that will mean having a proper data breach plan. It will also mean regularly rehearsing that plan for example by undertaking training like our Data Breach Academy to test the team and your response. When we have done training on data breaches the need for transparency and truthfulness is one of the key messages that we have concentrated on. There are more details of Cordery Data Breach Academy here https://www.corderycompliance.com/cordery-data-breach-academy-2-2/. There are more tips on handling a data breach here https://www.corderycompliance.com/dealing-with-a-breach/ and a short film here https://www.corderycompliance.com/dealing-with-a-data-breach/.
It is important to remember that a breach is not just limited to lost data. Data beyond reach – for example because of a ransomware attack or a lost encryption key – could also be a security breach. Not every breach of this type would have to be reported, however as guidance form the WP29 (the forerunner of the EDPB who has since adopted this guidance) guidance makes clear:
”Therefore, an incident resulting in personal data being made unavailable for a period of time is a security breach (and should be documented), yet depending on the circumstances, it may or may not require notification to the supervisory authority and communication to affected individuals. If the lack of availability of personal data is likely to result in a risk to the rights and freedoms of natural persons, then the controller will need to notify. This will need to be assessed on a case-by-case basis. Furthermore, it should be noted that although a loss of availability of a controller’s systems might be only temporary and may not have an impact on individuals, the fact that there has been a network intrusion could still be considered a potential confidentiality breach and notification might be required. Therefore, it is important for the controller to consider all possible consequences of a breach”.
Processors also have to notify controllers “without undue delay” after becoming aware of a data breach. The WP29 guidance emphasises this saying “Processors also have an important role to play and they must notify any breach to their controller”. More recently we know that DPAs have looked more closely at the obligations on processors as a recent case for example in France shows https://bit.ly/32YlCDM.
It is vital that a controller has a proper contract in place with all of its processors, including an obligation on the processor to tell the controller without delay. WP29 emphasised in their opinion that the 72 hour clock likely starts running when the processor is aware of the breach, not when the processor tells the controller of it, so prompt notification by the processor is key:
“The controller uses the processor to achieve its purposes; therefore in principle, the controller should be considered as “aware” once the processor has become aware.”
It is important to remember that this obligation to report to a DPA can work in parallel to other data breach reporting obligations – for example for financial services businesses and those in the health sector who may have an additional obligation to report a breach. Telecoms and similar companies also have a general data breach reporting requirement under another EU Directive. The extension to the NIS Directive (see https://bit.ly/NISreg2) is likely to bring multiple reporting obligations to many more organisations too.
Under GDPR, DPAs have the power to impose high fines. Three different bands of fines are applied in relation to three different sets of categories of infringements – the highest level is either a maximum of €20 million or 4% of the global annual turnover of a business, whichever is the greater. The fines for failure to notify a breach are set at €10m or 2% of global annual turnover. WP29’s view was that if there has been a security breach a DPA can issue fines both for the lack of adequate security measures (GDPR Art. 32) and for failure to report (GDPR Arts. 33 and 34). Their guidance says:
“It is also important to bear in mind that in some cases, the failure to notify a breach could reveal either an absence of existing security measures or an inadequacy of the existing security measures. In that case, the supervisory authority will also have the possibility to issue sanctions for failure to notify or communicate the breach (Articles 33 and 34) on the one hand, and absence of (adequate) security measures (Article 32) on the other hand, as they are two separate infringements”.
Post-Brexit it is possible for fines to double up again where a breach involves both the UK and the EU. There’s more on the post-Brexit GDPR regime here https://bit.ly/brexdpfaq.
What about other liability and compensation?
In the US one of the emerging trends we have seen is the rise in class actions following a security breach. It is important to remember that GDPR strengthens the opportunity for people affected by a breach to bring their own proceedings. One of the features of 2021 has been the higher number of threats we are seeing across our desk to bring compensation claims after a breach. We’re seeing many threats of group actions after a data breach from both customers and from employees and ex-employees. The potential for litigation means that extra attention needs to be given to a company’s transparency obligations.
What did European Data Protection Regulators do in the Uber case?
The UK’s DPA, the Information Commissioner’s Office (ICO) launched its own investigation in 2017 shortly after the new CEO’s confession. The ICO said it felt it should have been notified when the data breach took place and said that it was in direct contact with Uber. The ICO said at the time “deliberately concealing breaches from regulators and citizens could attract higher fines from companies”. A similar investigation was launched by the Dutch DPA since the Dutch DPA is Uber’s post-GDPR lead DPA in the EU. The Dutch DPA also criticised Uber for not reporting the breach promptly and issued a fine of €600,000 in November 2018. The same month the ICO fined Uber £385,000 (against the pre-GDPR maximum of £500,000).
It is also important to remember that public companies particularly have additional obligations not to mislead. It was as a result of those obligations that both BA and Marriott announced the ICO’s notice of intent to fine them. More recently a number of organisations have announced data breaches even without the threat of regulatory action looming. Listed entities will also need to give consideration to share trading – various offences can be committed if insiders trade shares knowing of a breach before it is public knowledge.
It is important to remember that public companies also have responsibilities to be honest in their financial accounts. In addition organisations could fall foul of bribery legislation depending on how payments are made or to whom. In some countries there is an obligation to inform law enforcement if an offence has been committed. Making payments could also offend a whole host of other legislation including money laundering or the funding of terrorist organisations depending on the circumstances.
In September 2018 Uber announced that it was to pay $148m to settle legal action in connection with the attack. The settlement was in connection with legal action from the US Government and 50 states over its failure to disclose details of the loss and hiding the breach from the regulators. It has been reported that separate legal action from drivers, customers and the cities of Los Angeles and Chicago was not included in that settlement.
What about ransomware?
Similar rules will apply with ransomware. We have written about the rise in ransomware (see here https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/) and we have also written about the Blackbaud attack where it seems that a ransomware demand was met (see here https://www.corderycompliance.com/3rd-party-ransomware-risk-blackbaud/). Organisations will always need to exercise extreme caution when making payments to criminals. In some cases there can be a conflict between a company and its insurers as it may be an insurer’s interest to make a payment to minimise their liability but that may not be in the company’s best interests.
Each incident will be different but there are many things that organisations can do to harden its defences including:
- Making sure you have proper data breach plans in place and that you rehearse them regularly.
- Making sure that your data breach team can act quickly.
- Training employees and raising awareness about cybersecurity and their need to keep the company’s compliance team informed.
- Reminding employees of other compliance obligations – for example paying a ransom or making a payment to make an attack go away could infringe other laws including money laundering regulations or the UK Bribery Act 2010.
- Involving regulatory and communications specialists in the data breach team, including external help when needed.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
There are more details of the Comparitech survey here https://bit.ly/3vmqYVJ. Details of the Uber case are here https://bit.ly/3vtOCPV.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|