Litigation and regulatory investigations related to data breach on the rise, lawyers warn.
With new data breach legislation coming into force for telecoms companies in the UK this week, experts in the area are anticipating a new era of tough regulation on companies which fail to protect their clients' and employees' data.
Peter Hustinx, European Data Protection Supervisor, faced an audience of leading insurers and corporates when he took part in a seminar on data breach risk management.
At the event, hosted by international law firm Clyde & Co in London, Peter Hustinx stressed that the problem of data breach was increasing and becoming more visible across all sectors. He cited a "lack of sensible data management and governance" as well as a "lack of management and boardroom responsibility". Technology must also be used more effectively to ensure that "privacy is built in from the start".
Peter Hustinx acknowledged that whilst businesses are concerned by the complexity and burden of multi-jurisdictional regulation, the EU was working with member states and other governments to achieve greater harmonisation. The global flow of data means that international cooperation is critical to protect sensitive data.
From 25 May 2011, electronic communication providers in the UK will need to comply with the requirement to notify both regulators and individuals in the event of data breach. Peter Hustinx was clear that this is the first phase in a larger EU data breach notification project and he anticipated that similar rules for all data controllers will follow in the next two years. This will move the EU environment closer to that which exists in much of the US. As with US regulations, EU law will apply to EU citizens wherever they are located and will cover data held 'in the cloud' as well as data held using traditional outsourcing models. Peter Hustinx predicted that the EU will see more enforcement, individuals will have the opportunity to bring group claims and disparate international data breach regulations will become aligned.
Clyde & Co San Francisco partner Joan D'Ambrosio stressed that US federal and state regulators are "gearing up" to investigate and prosecute more breaches, resulting in increasing expenses to respond, as well as regulatory penalties and injunctive relief. Class action litigation stemming from data breaches is also on the rise with significant settlement and breach costs running into the tens of millions of dollars.
At present in the US, the majority of data losses are due to system failure (failure to follow policies; failure of technology) or negligence (lost paper files; lost devices; improperly discarded materials; employee and vendor errors) rather than by malicious attack (theft; hacking; virus/malware attacks). In addition to theft of individuals' information, theft of corporate information is on the rise. The wide range of possible losses combined with increased regulation means that corporates' exposures will increase.
Although Joan D'Ambrosio noted that the US courts have so far resisted attempts by claimant legal representatives to obtain class action certification in data breach lawsuits where no actual identity theft can be established, the huge costs for US corporates rests in the breach response including the costs of notification, PR, credit monitoring, IT investigations, call centres, and legal fees in addition to regulatory investigations. The time limits are tight and she warned that the quicker the response the more expensive it can be for the corporate. Due to increasing regulations, costs are increasing: from USD140 per record in 2005 to around USD210 today.
Amanda Chandler, the global privacy manager of Vodafone, discussed the challenges of data protection in a global company as well as data breach obligations in multiple jurisdictions. She warned: "Don't wait for new laws to do the right thing." The initial costs of prosecution, imprisonment, fines and compensation for data breach can be dwarfed by reputational damage, stock market devaluation and the cost of rectification.
Amanda outlined Vodafone's Board-level down data breach incident handling strategy highlighting its objectives of 'command, control and co-ordination'. She particularly stressed the need to tightly control communications in a data breach situation and to do this requires swift root-and-branch action.
Many companies are buying insurance products designed to specifically cover data breaches and are also seeking coverage under other more general insurance products. Clyde & Co Commercial/IT/IP partner Mark Williamson, who specialises in providing commercial law advice to the insurance sector, chaired a panel of leading insurers who explored the insurance sector's response to data breach.
Phil Mayes, Head of Technology PI, Zurich Global Corporate said he had seen a marked increase in interest from corporates for specific global data breach cover as the real and significant risks of data breach become better understood. He also noted that the London Market sees data breach as a global issue, warning corporates that a data breach policy that doesn't provide global cover is not worth buying.
Emily Freeman, executive director, global technology and privacy risks, of Lockton Companies, LLP noted that the London Market sees insurance for data breaches in a global context. Data breach problems are having an effect on structuring professional indemnity cover. She cautioned that "insurance is not a substitute" for data breach prevention but a way of managing residual severity risks and she would expect any corporate to have sound IT and risk management strategies. Data protection needs to be a corporate enterprise issue and "compliance must be a top-level priority".
Emily Freeman also pointed out that: "In the age of outsourcing and offshoring, data doesn't sit with your own four walls". She noted that corporates are struggling with improving vendor risk management. Taking data outside the direct control of its owner profoundly changes the nature of the risk. Due diligence, contractual protection, and insurance requirements regarding security and privacy liability are key in protecting privacy in an outsourced arrangement.
Beth Diamond of Beazley, who specialises in dealing with data breach claims, agreed and pointed out that while corporates often give priority to IT security, it is easy to forget physical security: "In difficult financial times, employees can be your greatest risk so training and policies are essential."
In closing, Clyde & Co partner Paul Newdick said: "Data breach is a complex cross-sectoral, cross-jurisdictional issue. As we've seen in recent news reports, the costs of a global data breach can be hugely damaging to companies in both financial and reputational terms. Organisations must ensure that they have robust data protection and privacy programmes in place, not least with the anticipated requirement of mandatory notification. If a data breach does occur, rapid incident control is critical."