24 January 2017

Around now, Scots worldwide celebrate the works of Robert Burns. Two lines from his famous work, ‘Tam O’Shanter’, will be spoken at many events: “Gathering her brows like gathering storm, nursing her wrath to keep it warm”. Buffeted by data breaches, hacks or ransomware and with the regulator or affected individuals increasingly willing to make the consequences for business financial, Directors and mangers may empathise with Tam’s imagined vision of his wife’s reaction to his late return.

At the House of Commons Public Bill Committee in October 2016, the new Information Commissioner, Elizabeth Denham, was asked whether she supported moves to introduce director-led accountability so that directors were personally accountable for nuisance phone calls rather than companies. Ms Denham said she would, using the wonderful “game of whack-a-mole” analogy to describe businesses that were fined for data breaches and then went under, only to reappear elsewhere.

Ms Denham was also asked if she would consider placing the Information Commissioner’s Data Sharing Code of Practice and its Direct Marketing Code of Practice on a statutory footing. Again, she said yes: if so, breaches of those Codes would carry a penalty. The present maximum fine for breaching the Data Protection Act (DPA) is £500,000. After May 2018, a new EU data protection regulation will - Brexit or not - raise the maximum fine to the higher of €20m or 4% of global turnover.

The EU’s new regulation represents a sea change. “Privacy by design” calls for “the inclusion of data protection from the onset of the designing of systems”. The regulation extends direct liability to outsourcing: previously contractors were exempt as mere data processors. This has profound implications for businesses. More due diligence will be required. Contract negotiations may become more tortuous. Tenders may become more onerous. The cost of negotiating contracts will rise. One can foresee regular battles of warranties: no-one will want their business on the hook for a nine-figure fine. Cyber insurance may become the norm. Inadequate or no insurance may result in shareholder claims against Boards. Following the “Playstation” breach when 77 million users’ records were compromised, Sony’s insurers sought a court declaration that the commercial general liability and excess policies issued to Sony excluded “defending and potentially indemnifying Sony from class action lawsuits, possible government investigations and other miscellaneous claims.” The case settled out of court.

Thus, it is essential that data management, information security and associated risk issues are kept within the ownership of Boards and under review, using external experts in security to assist them. Boards must ensure staff are aware of the risks and adequately trained. In two recent large fines imposed on a telecoms provider and an insurer, the ICO also commented negatively upon organisations she deemed to have had resources they could have spent on data security but whose Board apparently chose not to.

Directors have a duty to exercise reasonable skill and care. To say data security and risk was left to the IT Manager is unlikely to satisfy the performance of that duty. Directors will be rightly concerned that the UK may be moving towards personal liability for corporate breaches of the DPA. The previous Information Commissioner is also on record as favouring prison sentences where Directors had deliberately flouted the DPA.

Directors might therefore consider adopting the approach of Tam o’ Shanter on his journey home through that gathering storm: – “Glowering round with prudent cares, lest bogles catch him unawares”.

Paul Motion, Partner & Solicitor Advocate prm@bto.co.uk T: 0131 222 2939