Out-Law Analysis 7 min. read

Financial firms can hedge data breach exposure risks


ANALYSIS: Financial services firms can hedge the risks of significant data breach claims being raised against them under the General Data Protection Regulation (GDPR) by investing in staff training and avoiding pitfalls highlighted by a major regulator.

Businesses face huge fines from regulators and potential 'class action'-style compensation claims from people impacted by a data breach. With the financial services market booming, firms in the sector are particularly prone to being targeted by cyber crime. It is imperative financial firms take action to hedge the risks they face.

Cyber crime

Few of us believed in the midst of the banking crisis in 2008 that the World Economic Forum (WEF) would be publishing a white paper 10 years later predicting a 'golden age' in financial services. The sector is prospering.

Yes, there are many significant challenges, such as long-term low interest rates, the risks inherent in decentralised financial systems, and the upheaval of the political system as power shifts to non-state actors. However, the convergence of payments disintermediation, data aggregation and digitisation – all of which will be optimised through the use of artificial intelligence (AI) – brings a certainty to the trajectory of significant revenue growth opportunities for technologically-savvy banking and insurance providers.

It is a truism that where there is money there is crime. For the first time, 'cyber attacks' and 'data fraud or theft' have been identified as the top five risks to world economic growth in terms of likelihood, in the World Economic Forum's Global Risks Report 2018.

Any senior executive engaged in horizon scanning will be concerned about the number of reliable third parties raising the red flag around the threat of cyber attacks to critical infrastructure and strategic industrial sectors, aimed at causing a material disruption to economic activity.

As a risk professional, this translates into the need to ensure that the c-suite carves out time in the diary to practice the incident response plan. As a commercial litigator, this translates into ensuring that you have an operational disaster recovery plan and an IT back up plan to help restore access to your critical data and, importantly, access to personal data in a timely manner.

That is a central requirement under the General Data Protection Regulations (GDPR). Yet the insurers tell us that, in their experience, back-ups, or rather the lack of them, are too often the issue that paralyses the business.

It is important that someone in the c-suite takes responsibility for ensuring that, on a day to day basis, access to critical data and personal data can be restored.

According to a recent report by PwC in Ireland, "cybercrime has taken over from asset misappropriation as the most prevalent economic crime". It said that "the incidence of cyber crime (61%) in Ireland is double that experienced by global companies (31%)".

While financial institutions are turning to process automation to seek to detect emerging cyber crime threats, cyber criminals are likewise turning to early stage AI technology tools to perpetrate their crimes.

A Forbes article last year noted that "the cost of the computing power needed for many AI applications has previously been a barrier to all but the most sophisticated, well funded criminal players, but that is coming down rapidly … We are beginning to see both offence and defence using automation, machine learning and artificial intelligence to counter each other's moves".

Data breaches

Data breaches are one of the most common forms of cyber crime. There can be some confusion about what does and does not constitute a data breach. Breaches can be categorised according to the following three, well-known information security principles. Depending on the circumstances, a breach can concern any combination of these: 

  • confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data. An example of this would be where information on pay and benefits of staff are accidentally disclosed externally. 
  • availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data. Ransomware is an example of such a breach. Another example would be the destruction of the incorrect data set as part of a deletion/destruction process on foot of a data retention policy. 
  • integrity breach – where there is an unauthorised or accidental alteration of personal data. An example of this would be where the incorrect set of data subjects has changes made to their personal data automatically. 

In her recent annual report Irish data protection commissioner Helen Dixon included a examples of data breaches. They include: 

  • inappropriate handling or disclosure of personal data such as improper disposal, third party access to personal data – either manually or online – and unauthorised access by an employee;
  • loss of personal data held on smart devices, laptops, computers, USB keys and paper files;  
  • network security compromise/website security breaches such as ransomware, hacking, website scraping.

Fines

Data breaches do, and will, happen, as more and more of our daily activities become digitised. This reality is reflected in the GDPR – data breaches fall within the lower of two tranches of regulatory fines meaning firms that experience a major breach can be hit with fines of up to €10m or 2% of worldwide turnover, whichever is higher.

Whilst much has been written about the significant levels of regulatory fines that GDPR introduced for infringements, less has been mentioned of the new private rights of action that GDPR created.

Compensation claims in the courts

Under Article 82 of the GDPR "any person" who suffers material or non-material damage, such as distress, as a result of an infringement such as a data breach has the right to compensation – financial loss does not need to be shown by a claimant.

Keeping data safe and secure is one of the core principles of GDPR. All companies are required to have adequate security in place to make sure that happens and to have considered data security when they initially collected the personal data, and during its processing.

Importantly, the right to compensation does not appear to be limited to the data subject and so could potentially include a spouse or children. Likewise, it appears to cover a legal or natural person and so could potentially include a compensation claim by a business partner or company.

It remains to be seen how widely 'any person' will be interpreted by the courts, but commercial litigators are already considering its potential from a litigation strategy perspective for clients. It is foreseeable that the damage that might flow from a data breach could affect more than the data subject concerned.

The GDPR specifically makes reference to a number of examples of damage that might flow from a data breach, such as discrimination, identity theft or fraud, damage to reputation, or loss of control over personal data.

Financial services and insurance companies hold a lot of personal data, so data security is an ongoing priority for them. In future, data breaches are likely to result in proceedings in the civil courts by individuals affected. The proceedings may well involve discovery and so a company's 'fitness for purpose' when it comes to GDPR compliance may well come into the public domain, thus potentially triggering a regulatory investigation if it falls short of the legal standard. In Ireland these proceedings will be brought in the Circuit Court or the High Court.

The question many practitioners are asking is: what level of compensation awards will be made by the courts?

It was initially thought that a schedule of damages would be recommended at European level, but it now looks like this will be left to the member state courts. That in itself is expected to lead to ‘forum shopping’ by litigants to jurisdictions that tend to give more generous damages awards.

Even if the award was €750 per person for a data breach that would be a significant unanticipated cost for a company if 100,000 people were involved. What if it happened twice? As the responsible senior executive you would certainly want a paper trail to evidence that you had taken all reasonable measures to prevent the breach.

Hedging the risk

In addition to ensuring that you have adequate insurance cover for the new compensations claims that may flow from data breaches under GDPR, firms should follow useful and practical advice provided by the Irish data protection commissioner in her most recent annual report. She made clear that many organisations were ignoring staff training and the importance it played in preventing data breaches given that social engineering plays such a significant role in cybercrime.

The watchdog highlighted a series of "poor governance and practices" in cases where organisations had been attacked by ransomware. 

  • A lack of staff training and awareness regarding threats posed by ransomware;
  • Poorly configured email and web filtering environments or security appliances;
  • Not ensuring that all computing devices, including servers, were regularly updated with manufacturers’ software and security patches; 
  • Poor password policies and a lack of multifactor authentication for remote access; 
  • Poor access controls, specifically the use of shared accounts (roles), and elevated or super user accounts (administrator accounts) on devices without a business need; and 
  • Failure to update antivirus and anti-malware software with the latest definitions.

All c-suite executives should satisfy themselves that their company does not fall foul of the poor governance and practices identified in the report.

Staff training

Data breaches will open organisations up to greater public scrutiny around their fitness to handle personal data and greater exposure to financial losses from data breaches on foot of compensation claims. A company's staff are either the first line of defence or the weakest link and training in the proper handling of personal data is central to making sure they are the former.

Companies will hedge their exposure to the risks if they make sure that they address the areas of governance and practice highlighted by Ireland's data protection commissioner on an ongoing basis. The proper management of personal data has a capital cost attached to it but personal data is also the new ‘oil’ of our age, so having the skills internally to manage it will be the differentiator of businesses in future.

Ann Henry is a Dublin-based data protection law expert at Pinsent Masons, the law firm behind Out-Law.com. A version of this article was first published by InCompliance, a magazine issued by the International Compliance Association.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.