Cyber Insurance, Privacy and Data Security Newsletter - June 2015
Published 18 June 2015
Whilst we are still reeling from the ground-breaking Vidal-Hall decision earlier this year, the ICO has also issued some interesting guidance and publications which have themselves progressed the interpretation of existing data protection law.
The ICO's guidance on the issue of monetary penalties ("fines" to you and me) is one such publication which reveals a great deal of information as to why it will issue monetary penalties. A copy can be found here. Risk management issues can be drawn from this guidance, some of which might be surprising. For example, the guidance indicates that fines are effectively means tested so that bigger companies will face higher fines. How companies respond to data breaches is also crucial to whether the ICO will issue fines, and those companies who take immediate action to close vulnerabilities and offer compensation to affected parties will see the chances of a fine being issued reduced.
In May, the ICO also published the results from a pan-European study into what the public expect from data protection and the data protection authorities ("DPA") themselves. The report outlined a series of recommendations on how DPAs can be more effective in the management and protection of personal data. A copy can be found here. Ultimately, the ICO found that there was no 'one size fits all' view; privacy is personal to the individual and what one person is content to share and on what basis differs from person to person. However, the ICO found that there were common themes in what the public want:
- Control over their data and to know that it is secure and protected;
- Transparency that allows the public to understand what personal data will be used for and why; and,
- An ability to manage personal data, to access, amend or delete the information retained.
The results of this study will no doubt influence the ICO's future priorities in regulating data protection in the UK. Savvy companies will try to take these factors into account when conducting business in order to stay a few steps ahead of the regulatory machine. The "savvy-est" of companies will build their businesses with the public's demands on privacy in mind in order to differentiate to gain a competitive advantage. Just ask Tim Cook of Apple who earlier this month reportedly criticised his web rivals' business models that undermined user privacy.
Across the pond, we are reminded that privacy risks are not only restricted to companies with retail customers. Employee data can be a prized hacking target and a stark reminder came in the form of a cyber-attack on the US Government that reportedly resulting in the loss of up to 4 million current and former employees' personal financial data. If the US government can be breached, what makes any other company immune?
There has also been an interesting legal development in the US on the topic of insurance coverage for cyber risks under existing insurance policies. The judgment demonstrates the limits of trying to claim under existing insurance programmes for losses which might have been better served by a dedicated cyber insurance policy.
And finally, what would any cyber update be without a reference to the EU Data Protection Regulation? Well the breaking news is that the European Council has agreed its version of the wording so that the Parliament, Council and Commission can sit down together and begin to horse-trade their respective positions. Those talks start on 24 June with the incoming Luxembourg Presidency aiming to find a general approach in October to be finalised by the end of 2015. Don't hold your breath!