Whilst prevention is the best cure for cyber incidents and data breaches, no organisation can consider itself untouchable, and employers must be prepared for the worst. In this article, our Employment Law experts explore how an employer should respond to cyber incidents and data breaches.
Why is This an Issue for Employers?
Cyber-attacks and data breaches are a wide-scale problem in the UK. Research conducted by Vodaphone recently revealed that 54% of SMEs had experienced some form of cyber-attack in 2022. In January, sportswear retailer JD Sports admitted that it had been the victim of a cyber-attack that could have put data relating to 10 million customers at risk.
Cyber incidents can take many forms. Malware may infect a company’s servers, phishing attacks are increasingly common and sophisticated, and denial-of-service attacks continue to be a risk to businesses. Rogue or negligent employees also pose a risk.
Data protection laws impose specific duties and obligations on employers that suffer data breaches. For example, more serious data breaches must be reported to the Information Commissioner’s Office (ICO) and/or the individuals affected. There are also stringent timescales for those reports to be made, meaning employers must quickly react to data breaches. Robust internal processes should also be implemented for monitoring, detecting, investigating and reporting incidents.
To avoid breaking the law, it is therefore important that employers are aware of the steps to be taken if a data breach occurs.
What is a Personal Data Breach?
Personal data is information that relates to a person that directly or indirectly allows that person to be identified. Examples of personal data include a name, identification number, location data, online identifier, or one or more factors relating to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
A breach may occur if personal data is destroyed, lost, altered or if there is an unauthorised disclosure of (or access to) personal data due to a security breach. Such breaches could impact the personal data of employees or clients.
Personal data breaches can take many forms, including:
- access by an unauthorised third party
- deliberate or accidental action (or inaction) by a member of staff
- the sending of personal data to the incorrect recipient
- devices containing personal data being lost or stolen
- alteration of personal data without consent
- loss of availability of personal data
High street retailer WH Smith recently reported that it had been hit by a cyber attack which saw hackers access the data of its staff, including names, addresses, National Insurance numbers and dates of birth.
What Must an Employer Do Upon Becoming Aware of a Personal Data Breach?
The employer must take initial steps to limit the breach and undertake suitable remedial measures to prevent further personal data breaches.
An employer must also document any personal data breach, including the facts relating to the data breach, the impact of this, and any remedial action taken. The ICO may demand to inspect these records, so accurate records will help the employer demonstrate compliance.
However, it is not necessary in every data breach to notify the ICO and the individuals impacted. Whether an employer’s reporting obligations are triggered will depend on whether the relevant reporting threshold has been met.
How Can the Employer Assess Whether the Threshold for Reporting to the ICO is Met?
The ICO must be notified where a breach will likely risk an individual’s rights and freedoms.
When assessing whether a notification must be made to the ICO, the employer must consider the following factors in addition to the likelihood, severity and potential impact of the risk:
- Type of breach
- Nature, sensitivity, and volume of personal data
- Ease of identification of individuals
- The severity of consequences for individuals
- Special characteristics of the individual
- Number of individuals affected
- Specific characteristics of the employer
What Information Must The ICO Be Provided With When Notifying Them of a Breach?
At a minimum, the ICO must be provided with a description of the following:
- The nature of the breach, including the approximate number of individuals affected and the categories of data that have been breached;
- Contact information for the employer’s data protection officer or another point of contact;
- The likely consequences of the breach; and
- The measures taken or proposed by the employer to address the breach.
What is the Timescale for Reporting a Breach to the ICO?
Employers must report notifiable breaches within 72 hours of becoming aware of them.
Laws in this area acknowledge that it will only sometimes be possible to fully investigate a breach within 72 hours. It is, therefore, permissible for the employer to provide the required information in phases if they don’t have all the information available at the time.
However, this must be done without undue further delay.
What are the Consequences of a Failure to Notify The ICO?
In addition to reputational damage, failing to notify the ICO in breach of obligations can result in a significant fine of up to £8.7 million or 2 per cent of a company’s global turnover. The fine can be combined with the ICO’s other corrective powers.
Do The Individuals Affected by the Data Breach Need to be Notified?
Individuals must be notified where a breach will likely result in a high risk to their rights and freedoms. This is a higher threshold than that of notification to the ICO. Therefore, as a general rule of thumb, where notification to the individuals is required, notification to the ICO will also be necessary.
This notification should be made without undue delay and must clearly describe, in layman’s terms, the nature of the breach. At a minimum, this description must contain the following-
- If the employer has a Data Protection Officer, their name and contact details. In the alternative, details of another contact point so those concerned can obtain further information.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach.
Employers should give specific and clear advice to individuals about how they can protect themselves, such as forcing a password reset or contacting their bank.
Employers should be aware that there are exceptions to the obligation to notify individuals of a breach. This will be in circumstances where one of the following conditions is satisfied:
- The employer has implemented suitable technical and organisational protection measures that render the data unintelligible to anyone not authorised to access it. For example, encryption.
- The employer has taken subsequent actions to ensure the high risk to the rights and freedoms of those affected is unlikely to transpire.
- It would involve a disproportionate effort. However, an equally effective method to inform those affected, such as public communication, must be made.
Practical Tips
Last year, we wrote about the pre-emptive measures that an employer can take to put the right systems and processes in place to prevent data breaches from occurring entirely or mitigate the damage they cause.
When considering the guidance in this article around how to react to a data breach or cyber incident, employers should keep the following tips in mind:
- Keep a record of any personal data breaches, irrespective of whether they meet a threshold for notification.
- Where there is doubt as to whether the obligation to notify a breach arises, employers should err on the side of caution.
- Have a process in place to assess the likely risk to individuals due to any breach.
- Have a process in place to inform individuals affected by a data breach where their rights and freedoms are at high risk, being aware this is to be done without delay.
- Have a process to notify the ICO of a breach and be aware of what information they must provide and the timescale for doing so.
- Investigate whether the breach was due to a human error or a systemic issue and investigate how a recurrence can be prevented.
At Myerson, our team of expert Employment lawyers are adept at advising on GDPR and data protection issues. We are on hand to support you in achieving compliance with data protection legislation.
Contact Our Employment Law Solicitors
If you need advice on a cyber incident, or you have any other queries, please contact our Employment Law team today on: