Contact Our Employment Law Solicitors
If you need advice on a cyber incident, or you have any other queries, please contact our Employment Law team today on:
Whilst prevention is the best cure for cyber incidents and data breaches, no organisation can consider itself untouchable, and employers must be prepared for the worst. In this article, Our Employment Law experts explore how an employer should respond to cyber incidents and data breaches.
Cyber-attacks and data breaches are a wide-scale problem in the UK. Research conducted by Vodaphone recently revealed that 54% of SMEs had experienced some form of cyber-attack in 2022. In January, sportswear retailer JD Sports admitted that it had been the victim of a cyber-attack that could have put data relating to 10 million customers at risk.
Cyber incidents can take many forms. Malware may infect a company’s servers, phishing attacks are increasingly common and sophisticated, and denial-of-service attacks continue to be a risk to businesses. Rogue or negligent employees also pose a risk.
Data protection laws impose specific duties and obligations on employers that suffer data breaches. For example, more serious data breaches must be reported to the Information Commissioner’s Office (ICO) and/or the individuals affected. There are also stringent timescales for those reports to be made, meaning employers must quickly react to data breaches. Robust internal processes should also be implemented for monitoring, detecting, investigating and reporting incidents.
To avoid breaking the law, it is therefore important that employers are aware of the steps to be taken if a data breach occurs.
Personal data is information that relates to a person that directly or indirectly allows that person to be identified. Examples of personal data include a name, identification number, location data, online identifier, or one or more factors relating to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
A breach may occur if personal data is destroyed, lost, altered or if there is an unauthorised disclosure of (or access to) personal data due to a security breach. Such breaches could impact the personal data of employees or clients.
Personal data breaches can take many forms, including:
High street retailer WH Smith recently reported that it had been hit by a cyber attack which saw hackers access the data of its staff, including names, addresses, National Insurance numbers and dates of birth.
The employer must take initial steps to limit the breach and undertake suitable remedial measures to prevent further personal data breaches.
An employer must also document any personal data breach, including the facts relating to the data breach, the impact of this, and any remedial action taken. The ICO may demand to inspect these records, so accurate records will help the employer demonstrate compliance.
However, it is not necessary in every data breach to notify the ICO and the individuals impacted. Whether an employer’s reporting obligations are triggered will depend on whether the relevant reporting threshold has been met.
The ICO must be notified where a breach will likely risk an individual’s rights and freedoms.
When assessing whether a notification must be made to the ICO, the employer must consider the following factors in addition to the likelihood, severity and potential impact of the risk:
At a minimum, the ICO must be provided with a description of the following:
Employers must report notifiable breaches within 72 hours of becoming aware of them.
Laws in this area acknowledge that it will only sometimes be possible to fully investigate a breach within 72 hours. It is, therefore, permissible for the employer to provide the required information in phases if they don’t have all the information available at the time.
However, this must be done without undue further delay.
In addition to reputational damage, failing to notify the ICO in breach of obligations can result in a significant fine of up to £8.7 million or 2 per cent of a company’s global turnover. The fine can be combined with the ICO’s other corrective powers.
Individuals must be notified where a breach will likely result in a high risk to their rights and freedoms. This is a higher threshold than that of notification to the ICO. Therefore, as a general rule of thumb, where notification to the individuals is required, notification to the ICO will also be necessary.
This notification should be made without undue delay and must clearly describe, in layman’s terms, the nature of the breach. At a minimum, this description must contain the following-
Employers should give specific and clear advice to individuals about how they can protect themselves, such as forcing a password reset or contacting their bank.
Employers should be aware that there are exceptions to the obligation to notify individuals of a breach. This will be in circumstances where one of the following conditions is satisfied:
Last year, we wrote about the pre-emptive measures that an employer can take to put the right systems and processes in place to prevent data breaches from occurring entirely or mitigate the damage they cause.
When considering the guidance in this article around how to react to a data breach or cyber incident, employers should keep the following tips in mind:
At Myerson, our team of expert Employment lawyers are adept at advising on GDPR and data protection issues. We are on hand to support you in achieving compliance with data protection legislation.
If you need advice on a cyber incident, or you have any other queries, please contact our Employment Law team today on: