Tughans Solicitors

Managing the Fallout: Business Strategies and Legal Implications in the Wake of the PSNI’s Data Breaches

Andrew Kirke
Partner

Sector: Contracts and Technology

T: +44 (0) 28 9055 3306

M: +44 (0) 78 2732 5049

When we hear about a data breach we tend to think about cyber attacks, hackers, or malware. However, most data breaches stem from some form of human error.

This is particularly clear in light of the recent high-profile data breach incidents involving the Police Service of Northern Ireland (PSNI), where the personal details of 10,000 employees were inadvertently shared in response to an FOI request and a laptop was stolen containing the names of 200 officers and staff. These have underscored that even organisations with heightened security measures in place are susceptible to data breach incidents due to the weak link in the chain: human involvement.

As such, it makes sense for businesses to think about the potential implications of a data breach as well as actionable recommendations for managing the fallout.

 

THE IMPLICATIONS

Reputational Damage and Trust Erosion

Unauthorised disclosure of personal information can lead to an irreparable loss of trust among consumers and employees with a significant amount of organisations admitting to facing reputational damage due to data breaches suffered either by them directly, or their third-party service providers who had access to their personal data.

Security and Safety

A data breach can have profound implications for the security and safety of data subjects, potentially leading to identity theft, financial scams, or even physical harm, depending on the nature of the compromised information.

Legal Compliance, Regulatory Penalties & Litigation

A data breach within your organisation may trigger legal responsibilities under the UK General Data Protection Regulation (GDPR) or other data privacy regulations. Under GDPR, this can mean penalties or regulatory investigations, as well as legal action from impacted data subjects.

 

DATA SECURITY BREACH MANAGEMENT

Given the high stakes, and that ignoring a breach is not really an option, organisations should have a data breach response plan in place to enable them to respond to a data breach swiftly and effectively.

Here are a couple of steps that you will want to take if you become aware of a breach, that might help as a starting point for developing your own data breach response plan:

Assemble the Security Breach Team

All organisations should have a security breach management team, with primaries and deputies, drawn from across the organisation, including HR, IT and legal and compliance. The team should discuss their roles, and everyone needs to be clear about who is taking responsibility for what.

The team should run “fire drills” to ensure they can be alerted and can take appropriate steps, whenever a breach would occur. If a breach was detected on a weekend – would you be able to assemble the breach management team urgently?

Determine what Caused the Breach, and Stop It

When a breach occurs, the first step is figuring out what caused it and the potential harm it could bring.

Next, its crucial to act swiftly to halt the breach and prevent it from happening again, minimising any harm. If the ICO (the body responsible for supervising data protection matters in the UK) gets involved, they’ll want to see how you’ve addressed the breach and your plans to stay compliant moving forward.

Determine the ID of the Data Controller

The next step is to determine the identity of what is known as the “data controller” for the purposes of the breach. The data controller is the party that determines the purpose for, and manner in, which “personal data” (that’s data relating to living people) is processed – which may not always be obvious.

In some cases your organisation may process personal data for purposes determined by another organisation, e.g. where you provide hosting services, which makes you a “data processor” rather than a “data controller”.

There may be more than one data controller, particularly where shared services are involved.

Consider who to Notify

These could include:

  • The ICO: If you are a data controller of compromised data, you’re obligated to notify the ICO if a breach could jeopardise individuals’ rights or freedom, especially where sensitive personal or financial data is compromised, requiring notification without delay and in any case within 72 hours of awareness.
  • The Data Subjects: If you are a data controller, you must notify the breach to the individuals affected where a breach is likely to result in a high risk to their rights and freedoms. The threshold for communicating a breach to individuals is higher than for notifying the ICO. In practice, where notification to individuals is required, notification to the ICO will always be required.
  • The Public: The importance of a well-crafted communication strategy is evident in the PSNI’s response. Timely and transparent communication with stakeholders is paramount to managing the fallout.
  • Any Joint Controllers:Any joint data controllers of the personal data in question may also need to be notified depending on the context, as they could, in the first place, be jointly responsible for the breach.
  • Insurers:Notification of potential claims in a timely manner (often within strict time limits) may be an insurance policy requirement, given the potential legal implications of a breach. In other words, failure to notify of grounds for a future claim in time could invalidate your insurance cover.
  • The data Controller: If you are a data processor, you will be required to notify the relevant data controller, to whom you may be responsible for any breach.
  • Industry Specific Obligations: Companies in more heavily regulated sectors such as operators of essential services, telecoms providers, payment processing providers and so on may have separate notification obligations under the specific legislation applicable to them.
  • Your Lawyer: Securing legal expertise at the outset of managing a data breach is a proactive and crucial step towards ensuring compliance with regulations and minimising legal risks. Legal advisors possess the acumen to guide businesses through the intricate maze of notification procedures and potential liabilities, to help preserve and protect the organisation’s reputation and financial interests.

Find out Who’s Responsible

Finally, as lawyers are always keen on doing, you’ll want to find out who’s to blame for the breach, and decide what steps to take next.

External Breach

If the breach was caused by another data controller or data processor you’ll want to consider whether there are any written contract terms in place, and what right you might have to bring a claim under that contract.

If you don’t currently have written contract terms, this is something you will want to think about putting in place, as it is mandatory under the GDPR, and would be particularly important where the processing or sharing of data involved is particularly significant to your organisation.

Internal Breach

If it was an internal breach, it may be appropriate to review the actions of the responsible employees (if any) and decide whether disciplinary action is appropriate, considering the relevant staff policies to determine whether they have been breached (e.g. IT and security, data protection policies) as well as your staff contracts. You’ll also want to think about whether staff were given any training, and if not what training might be appropriate in future.

The PSNI’s data breaches serve as a cautionary tale for businesses navigating the complex landscape of data protection. By analysing the organisation’s response and its parallels to businesses’ challenges, we may derive crucial insights for crafting effective strategies and safeguarding reputation, trust, and legal compliance.

 

In a digital era, businesses must embrace a multidimensional approach that harmonises business strategies with legal considerations, proactively addressing threats while upholding their commitment to security, transparency, and resilience.

If you would like more advice on this or other privacy related issues please feel free to contact Andrew or another member of our privacy team.

While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.