Issues with Data Breach Liability
For many organisations, it is simply a question of when, and not if, a data breach will occur. There are many approaches to data security that a company can take, but this does not fall within the scope of this blog. Instead, we aim to enlighten you regarding data breach liability following a cyber attack. Furthermore, we want you to become better equipped for facing data breach liability issues. Let us hope that you will never be victim to a serious cyber attack, though, and that this insight will never be needed.
Cyber attacks are no two the same, because of this, there are many considerations to be made. Motivation of the attacker, damage to the data subject and how the stakeholders are affected are just some examples of the key elements involved. Mindful of the potential liability that can surface, necessary action following a cyber attack must include considerations of the aims of those suffering the losses. Since GDPR, data subjects have become a prominent focal point for many businesses, more transparent data practises are being employed across the UK. This is good news because, in this day and age, our personal data is scattered among many companies.
Someone needs to be accountable for losses. Someone needs to pay the ferryman… but who? First, let us look at the bases for claims.
Claims may both arise on behalf of, and against the company who suffered the data breach. Whether it be an employee, partner or third party perpetrator, the victim company will seek to claim against the threat actor who ultimately brought about the loss. The victim company will likely also become defendant to claims brought against them. After all, it is possible the data breach constitutes a breach of contract, or the attack may have followed a failure by the target company to meet basic standards of data protection, there may have been a negligence in patching known errors in software, or even just a lack in ability to establish and maintain resilient data protection practices. The limit is, somewhat, the imagination. The company hit by the attack is not the sole victim, they are not the only one experiencing a loss resulting from the data breach.
The data subjects will seek to bring forward claims based on losses in integrity of their personal data. This may be against the data controller / processor, or the threat actors who are responsible for the breach. Data subjects can do this individually or on a group basis.
Who else wants a piece of the pie?
There is also the potential for third parties to raise claims. This will be based on losses suffered in a more indirect respect to the data breach. For instance, where there has been a wider impact on a supply chain involving other organisations.
Where they seek to prevent unauthorised access to data, third parties may bring forward claims to secure the recovery of data assets held by the victim company, whether or not this data was affected by the breach. This will be in an effort to protect the interests of the rightful owners for such data. They may also seek to acquire information that will lead to the identification of those responsible for the data breach.
Central to all defences against liability will be the exact contractual obligations that are in question of being breached; the facts upon which it is said that the supposed threat actor is responsible; or the basis upon which some level of duty has been imposed as a result of the breach.
Companies can make counter claims against sanctions or regulatory action with regard to the nature and imposition of any action or penalty. As well as seeking to challenge the bases for the original regulatory decision being made.
There will be questions of civil and criminal law. Independent regulators will need to be involved. Stakeholders will need to be kept in the loop. Because of this, there needs to be considered a full landscape view of the liabilities that a victim company must consider. This will be covered in further blogs on the topic of Data Breach Liability to follow.
This short piece is the first in a series of blogs on data breach liability.
The second blog will outline the full landscape view of data breach liability.
Nicholls Law, Experts on Data Breach Liability