2018 data hacks. Lessons businesses must learn

Over the last 12 months, cyber-attacks and data breaches have rarely been out of the headlines. And this is understandably causing concern for business owners, IT heads and security managers. Not least because, with the introduction of the GDPR and the Data Protection Act 2018, UK business now face a major expansion of liability claims.

Here are some of the most significant data leaks we have all been talking about this year. With some advice on any lessons to be learned.

Ticketmaster

In June 2018, Ticketmaster UK identified malicious software on a customer support product hosted by an external third-party supplier. Following the breach, Ticketmaster admitted that thousands of UK customer data had been accessed. This included a number of customers’ personal and financial details.

In this case, the situation was made worse for Ticketmaster after it was revealed that challenger bank Monzo warned the company about a potential hack some two months previously. However, Ticketmaster dismissed the warnings and failed to act. This failure to address Monzo’s apprehensions demonstrate how cyber security must become an executive level issue and be treated accordingly. Likewise, the Ticketmaster case highlights the importance of choosing the vendors you work with carefully. You simply must make security controls a key part of any service level agreement.

Equifax

The Equifax data breach might have started in 2017, but it continued to feature in the headlines throughout 2018. An ICO investigation, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency. And, as a result, Equifax has now been fined £500,000.

Equifax failed to properly update and patch its computer systems and, because of this, was unable to detect any vulnerability. Likewise, even when Equifax did discover the weakness in late June, access was not cut off until the very end of July.

So, following the data breach investigation, there are some vital lessons businesses across the UK need to learn to ensure they don’t meet a similar fate.  Not least the need for comprehensive internal policies, regular penetration testing, prompt attention to updates and patches, on-going maintenance of cyber security systems, and swift response protocols.

British Airways

Initially, it was revealed that almost 400,000 British Airways customers had had their personal and bank/credit card details stolen in what was reported to be one of the most severe cyber-attacks in UK history. Worryingly, it took over two weeks before the data breach was detected by the airline. In response, questions were asked as to whether poor systems made this cyber-attack worse.

When investigating this case, a second data breach was also uncovered. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. And, a further 108,000 people had their personal details stolen.

One of the key takeaways from this data breach case is the need to keep your web platforms up-to-date. When the latest version is not in use, hackers can manipulate weak spots in the code to carry out malicious activities. Likewise, it’s vital to increase monitoring across websites and apps to defend against these types of attacks.

Facebook

Earlier this year, a whistle-blower revealed how Facebook data was illegally harvested and used to influence the US Presidential election. The violation occurred after Cambridge Analytica targeted users with political messaging after obtaining data from the social media platform. Questions were raised over whether this data was also used to influence the outcome of the Brexit referendum.

Again, the crucial takeaway here is that organisations must inspect third-party applications closely, analyse any data integrations with their data, and assess any potential implications on security.

Dixons Carphone

The Dixons (Carphone Warehouse) data breach took place in 2017 and resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. The details stolen by cyber criminals include names, addresses, phone numbers, dates of birth, and email addresses. All of which can be used by cybercriminals to commit further crimes. The hackers also got access to the records of 5.9 million payments cards (nearly all of which were protected by chip and pin).

Again, while this case took place in 2017, the ramifications have continued into this year.

This Dixon’s Carphone breach underlines how vital it is that businesses arm themselves against threats. And the good news is that there are some simple steps that can reduce your exposure to attack.

For example:

  • Review your data and security processes. Once you know what you are dealing with, you can then document the controls you have in place and evaluate any potential risks
  • Establish where improvements are needed. By undertaking a review, it should be easy to see where improvements need to be made to comply with regulations and industry standards
  • Undertake training. Carry out training to ensure your staff are aware of how important data protection is. Particularly as, according to the Information Commissioner’s Office (ICO), accidental disclosure or human error is a leading cause of personal data breaches
  • Put robust reporting mechanisms in place. While a data hack is a massive blow to any company, the decision not to report cyber violations will only make matters worse.

If your business does become the victim of a cyber-attack, you will be held accountable for any failures in your processes and systems. So the more you can do to show that you take your data protection responsibilities seriously the better.

But don’t leave it until a breach occurs to protect your business. At Hayes Connor Law, we help companies, in-house legal teams and other organisations to meet their data protection obligations. Providing advice and support on compliance, data breaches, defamation and cybercrime we have all the expertise and experience you need to reduce your exposure to risk.

Leading our field when it comes to understanding this often complex area of law, our expert, pragmatic legal advice ensures the highest quality outcome – both in terms of results and service delivered.

Morrisons case increases liability for employers

Supermarket Morrisons lost its appeal following a breach at the company which resulted in thousands of its employees’ details being posted online. The case is the first data leak group action in the UK.

For employers, this could lead to significant increases in liability when it comes to data breach cases.

What happened in this case?

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. In this case, the employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.

Despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was primarily liable for its own acts and omissions (such as not ensuring the proper security measures to protect the data).

Crucially, the judge also ruled that Morrisons was “vicariously liable” for Skelton’s actions. In a workplace context, an employer can be vicarious liability for the actions of its employees, as long as it can be shown that they took place in the course of their employment.

The decision to hold Morrisons vicariously liable is important as it gives victims more opportunities to seek compensation following a data breach (companies are more likely to be insured against such liability than employees).

But the decision had even wider reaching implications. Until this case, a person who suffered damage might have had their compensation increased to take into account any associated distress, but in most cases payment would not have been awarded for suffering alone. However, the ruling paved the way for those affected by data breaches to claim damages for distress, even if they have not experienced any financial loss. And that could be huge.

Morrisons went on to challenge the decision, but in October 2018, the Court of Appeal upheld the original ruling against the supermarket with three judges saying they agreed with the High Court’s earlier decision.

Where next?

Over the last 18 months, we have seen numerous examples of significant personal data loss. Many of these violations have been able to occur due to weaknesses contained in companies’ IT software.

As the trend towards a cashless society accelerates, this trend will continue as retailers and other businesses seek quicker and slicker interfaces with their consumers. Both at the point of sale and throughout their customer journey.

In the case of Morrisons, significant steps were taken to protect data, but those steps failed. In this instance, the data was lost at the hands of the employee turned hacker. However, data is also at threat simply due to careless employees going about their day-to-day business.

The latest ruling is the tip of a very large iceberg. Mass data breach actions are also being made against Ticketmaster and British Airways among others. Such actions, when properly prepared and investigated, will have significant financial consequences in terms of damages and costs.

Data breaches on a large scale are a real and pressing threat. In response, the clear and overwhelming view of the Court of Appeal is that such events must be foreseen by companies, and insured against.

The reaction of the insurers to such events, their provision of cyber cover and premium costs is now under the spotlight. Indeed, we predict a situation where the volume of exclusions to policies will increase.

Companies must now protect themselves better from data loss. But they also need to be extremely vigilant as to the activities and errors of their employees to be afforded the cover they pay for, or think they pay for.

Morrisons has now said that it will take its fight to the Supreme Court. But if the decision is upheld, the case will have widespread repercussions for employers. Not least because the interpretation of vicarious liability could leave them open to an unprecedented level of legal action.  How businesses mitigate against this increased risk profile remains to be seen.

At Hayes Connor Law, we help to keep your compliant with robust policies and procedures.

For bespoke advice that is cost-effective, confidential, and appropriate to your business, contact us today.

Transfer of personal data outside of the EU? Here’s what your business needs to know

The new General Data Protection Regulations (GDPR) apply to all organisations that control and process data in the European Union (EU).

And, because people risk losing the protection of the GDPR if their sensitive data moves beyond this political and economic area, GDPR restricts the transfer of personal data to countries or international organisations that are not in the EU.

So, if your business has to transfer data outside of the EU, you must ensure that it is protected in another way.

When you’re running a business, the last thing you want to think about is the possibility of things going wrong. But the right preparation won’t just reduce the likelihood of data breaches occurring; it will also limit the fallout should the worst happen.

The Information Commissioner has recently supplied some updated guidance on international data transfers. And, at Hayes Connor Law, our data protection solicitors have pulled together the key points you must consider to ensure your business remains compliant if it operates beyond the EU.

What is a restricted transfer of personal data?

When personal data is transferred outside of the EU, safeguards are needed to ensure that the protection afforded by the GDPR travels with the data.

These restrictions apply to all transfers, no matter the size of the transfer or how often you carry them out.

However, if personal data is electronically routed through a non-EU country, but the transfer is from one EU country to another, then it is not a restricted transfer.

Easy ways to make a restricted transfer of personal data

If you need to make a restricted transfer, consider whether you can do so without any personal data. For example, if you can anonymise the data so that it is impossible to identify individuals (even when combined with other information), the restrictions do not apply.

If you can’t anonymise your data, check whether the EU has confirmed that the country you are transferring it to offers an adequate level of data protection. If it has, you can make the transfer. You can see the latest list of all countries which have an adequacy finding here.

Restricted transfer of personal data safeguards

If the EU has not deemed the country to be adequate in respect to data protection, you can still make the transfer if you put ‘appropriate safeguards’ in place. Advice from expert data protection solicitors is strongly advised to keep you on the right side of the law.

According to the Information Commissioner’s Office (ICO), these safeguards include:

  • A legally binding and enforceable contract between public authorities. You can make a restricted transfer if BOTH parties are a public authority or body. You must also have both signed a legally binding and enforceable document which includes enforceable rights and effective remedies for those individuals whose personal data is being transferred. For public bodies that cannot enter into legally binding and enforceable arrangements, an administrative arrangement which includes enforceable and effective individual rights can be used instead.
  • Binding corporate rules. You can make a restricted transfer if both parties have signed up to binding corporate rules (BCRs). An internal code of conduct for multinational groups, BCRs allow for restricted transfers of personal data outside of the EU. Franchises and joint ventures can also use BCRs. Legal advice is strongly recommended to ensure all BCRs are compliant and approved by the relevant EU supervisory authority (where necessary).
  • Standard data protection clauses. Your business can make a restricted transfer if both parties have entered into a contract incorporating standard data protection clauses adopted by the European Commission. These clauses contain contractual obligations on the data exporter and importer, and set out rights for the individuals whose personal data is transferred. However, knowing which clauses are acceptable can be complicated and expert legal advice from data protection solicitors is strongly recommended.
  • An approved code of conduct. You can make a restricted transfer if the receiver has signed up to a code of conduct which has been approved by a supervisory authority. The code of conduct must include robust safeguards to protect the rights of those individuals whose personal data is being transferred, and these rights must be enforceable.
  • Certification.You can make a restricted transfer if the receiver has achieved certification by a scheme approved by a supervisory authority. The certification scheme must include robust safeguards to protect the rights of those individuals whose personal data is being transferred and these rights must be enforceable.

You can find out more about all the available safeguards on the ICO website.

What if proper safeguards do not cover the restricted transfer?

If the necessary safeguards do not cover the restricted transfer, you might be able to use an approved exception.

Exceptions include where:

  • The individual has given their explicit consent to the restricted transfer
  • The transfer is necessary for you to perform a contract between you and the individual
  • You have (or are entering into) a contract with an individual which benefits another individual (and their data is being transferred)
  • You need to make the transfer for important reasons of public interest
  • You need to make the transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim
  • You need to make a restricted transfer to protect the vital interests of an individual who is physically or legally incapable of giving consent
  • You are making the restricted transfer from a public register
  • You are making a one-off restricted transfer and it is in your compelling legitimate interests.

In most of these circumstances, the transfer must be necessary, and the exception cannot be used regularly. You may also need to inform the relevant individual (and the ICO) about the transfer in advance.

As such, it is vital to ensure proper legal advice from data protection solicitors to keep you compliant and avoid data protection breaches.

Expert legal advice is crucial

Should you need legal advice or assistance in this area, please contact the Hayes Connor Law data protection team.

Our data protection and defence solicitors have a wealth of experience in this relatively new and continually evolving field, so we understand the complexities involved. As such, we can help you with a wide range of advice and legal support. Our process is fully compliant with ICO guidance, and we never put your details at risk.

CONTACT

What to do if your business data has been breached

Could you be entitled to business data loss compensation?

Your company’s confidential data is one of its most valuable assets. Customer information databases, IP, trademarks etc. all help to give a competitive edge and can be the difference between success and failure.

The good news, is that data protection does not just apply to individuals and consumers. Businesses have rights too, and as such, where a mistake or other breach has occurred, companies can make a business data breach claim for compensation.

How to protect your business data

Businesses can protect themselves and their assets in a number of different ways. With prevention always better than cure. So, if you are entrusting your valuable data to a third-party, it always pays to make sure that they have adequate processes in place. At the very least this should include:

  • Secure firewalls
  • Anti-virus and anti-malware software
  • Regular and robust backup processes
  • A process for updating operating systems on a regular basis
  • Processes that prevent staff members from sharing passwords
  • Reliable encryption
  • Processes to remove outdated info
  • Processes to identify and record what personal data is held and stored by the business
  • Compliance with the Information Commissioner’s Office (ICO).

Of course, your own business should also adopt best practices when it comes to the above.

What to do if a trusted partner causes a data breach

What happens if a bank, financial institution or a trusted professional adviser of the business loses confidential data such as bank statements or financial material relating to the business?

Just like an individual, your business can pursue a claim for damages against the party who has either deliberately or negligently breached your confidential data.

Due to the consequences of losing such information, the level of damages that may be awarded is likely to be substantial. Not just for the breach itself, but also to include the consequential damages and losses suffered by the business as a result.

How to protect your data against rogue employees

“87% of employees take sensitive data with them when they leave a company, whether voluntarily or involuntarily.”

As well as protecting your business against external threats, you should also do everything you can to protect yourself from internal ones. This includes:

  • Making sure you have robust security systems in place to prevent data theft
  • Establishing monitoring processes to detect a data theft
  • Ensuring restrictive covenants are written into staff contracts. These prevent staff from sharing sensitive information once they have left your employ
  • Ensuring adequate policies are in place to deal with issues such as social media use
  • Ensuring these policies are communicated to employees.

However, stealing personal information is a crime, so if a disgruntled or former employee steals and then sells or misuses sensitive commercial information to obtain a financial benefit for themselves, or to provide a commercial advantage to a competitor, you can refer the matter to the police. You also have the right to criminally prosecute the individual in question.

In addition, where a theft has occurred you have the power to obtain injunctions to prevent the material being used or disclosed in the first instance, and thereafter you can apply to seize and obtain any financial benefits or rewards the employee or the competitor has achieved with the use of the information that was stolen.

Helping you to achieve the maximum amount of compensation, in the minimum amount of time, if your business has suffered a data breach due to the negligence or illegality of others, contact Hayes Connor Law.

ICO provides new data protection self-assessment checklist for sole traders

The ICO has created a checklist to help sole traders and the self-employed assess their compliance with new data protection laws. The list is designed to improve understanding of data protection laws (the GDPR), while assisting sole traders to keep people’s personal data secure. It also includes practical suggestions on how to stay in line with the law.

The checklist forms part of a more substantial range of data protection resources which are available on the ICO’s website.

Commenting on the guidance, the ICO’s Head of Assurance Anulka Clarke, said “We are committed to help sole traders and those who are self-employed to navigate data protection law and improve their practices. Handling personal data correctly can add value to businesses and enhance reputation, as it increases public trust.”

Questions asked include:

  1. Do you have a record of what personal data you hold? Do you know what you use it for?
  2. Do people know you have their personal data and understand how you use it?
  3. Do you only collect the personal data you need?
  4. Do you only keep personal data for as long as it is needed?
  5. Do you keep personal data accurate and up to date?
  6. Do you keep personal data secure?
  7. Do you have a way for people to exercise their rights regarding the personal data you hold about them?
  8. Do you and your staff (if you have any) know your data protection responsibilities?

More information is provided on each of these points.

Once the checklist is completed, sole traders are presented with their overall data protection rating, as well as any suggested actions to help improve this.

Sole traders and small businesses are also advised that they can contact the dedicated ICO helpline and talk to staff who can offer further support.

Bespoke data protection advice for businesses

When you’re running a business, the last thing you want to think about is the possibility of things going wrong. But the right preparation won’t just reduce the likelihood of data breaches occurring; it will also limit the fallout should the worst happen.

At Hayes Connor Law, we have all the expertise and experience needed to reduce your exposure to risk. Helping you meet your data protection requirements, and keeping you safe from breaches, we ensure your policies and procedures are compliant.

If a breach has already happened, we can also help you to put forward a robust defence and stop the situation from escalating.

CONTACT US TO FIND OUT MORE ABOUT HOW WE CAN HELP YOU.

Data breach reporting: what does your business need to know?

There has been a substantial increase in the number of self-reported data breaches. That’s according to the Information Commissioner’s Office (ICO). In its annual report for 2017/18, the ICO reveals that there has been a 30% rise in self-reporting.

Are data breaches on the rise?

Yes. In fact, as well as the rise in self-reported breaches, the ICO also reports a significant increase in data protection complaints (up 15%).

But, as well as growth in cybercrime and negligence, the rise in self-reporting could be down to companies getting ready for new regulations; with rules which mean it is now mandatory to report data breaches. As such, it is anticipated that the 2018/19 report will show an even greater rise.

Data breach reporting before GDPR

Before the introduction of the General Data Protection Regulation (GDPR), there was no legal requirement for organisations to self-report data breaches (although it was encouraged).

However, certain public bodies were required to self-report serious breaches.

Therefore, it’s no wonder that the health sector was the leading area for self-reports in 2017/18 (36%), with education second (11%). That areas which have to report data breaches are far more likely to do so isn’t really a surprise.

What is interesting, is that in 60% of cases there was no action for the reporting data controller. What’s more, where action was required, a monetary penalty was only pursued in 0.3% of cases. But, with data breaches now big news, it is unlikely that the ICO will continue to act softly where companies fail in their data protection obligations.

Data breach reporting after GDPR

Today, GDPR has transformed the data protection landscape. Not only are there greater obligations on companies to keep data safe, but there are also increased responsibilities when it comes to reporting breaches. And, of course, potentially huge fines for non-compliance.

Today, UK businesses must self-report data breaches to the ICO unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons”. However establishing what type of breach is unlikely to result in such a risk isn’t easy to determine. Particularly where immediate decisions are needed due to the need to report without undue delay, and, where feasible, not later than 72 hours after discovering the breach.

How can business owners keep on the right side of the law, while not exposing themselves to any unnecessary exposure and investigations?  Particularly as the ICO has not yet published specific guidance on reporting.

Data protection solicitors

To ensure that businesses meet their obligations under GDPR, it is vital that proper processes and reporting mechanisms are in place to prevent a manageable situation escalating into a data breach nightmare. And this should happen before a breach occurs.

At Hayes Connor Law, we have all the expertise and experience needed to reduce your exposure to risk. Helping you meet your data protection requirements, and keeping you safe from breaches, we ensure your policies and procedures are compliant. And, should a data breach occur, we offer expert advice on reporting, as well as providing a robust legal response and defence. So you come out of any crisis with your reputation, business and financial status intact.

As well as advising you on when to report and when not to report, our data protection solicitors can also help you to establish compliant processes for responding to data breaches made against your business.

With a stark rise in data breaches and cybercrime, the question whether to mandatory report will almost certainly become something your business will have to face at some point. And it’s important not to get the decision wrong if you want to avoid further action by the ICO.

Should you need legal advice or assistance in this area, please contact the Hayes Connor Law data protection team.

Our data breach defence solicitors have a wealth of experience in this relatively new and continually evolving field, so we understand the complexities involved. As such, we can help you with a wide range of advice and legal support. Our process is fully compliant with ICO guidance, and we never put your details at risk.

CONTACT

Data protection complaints increase by almost 50% in three months

According to the Information Commissioner’s Office (ICO), the number of reported data protection complaints has almost doubled since April this year. The increase in data breach complaints has happened since the introduction of the GDPR on May 25th.

The stats show that:

  • 4,214 data protection complaints were made in July
  • 3,098 data protection complaints were made in June
  • 2,310 data protection complaints made in May
  • 2,165 complaints were made in April.

In total, there were 957 reported data security incidents in Q4 2018. Common causes for these data violations include:

  • Data sent to the wrong recipient
  • Loss of theft of paperwork
  • Failure to redact data
  • Failure to use bcc when sending an email.

Worryingly, reported cybersecurity incidents also increased by 31% over the same period. Overall, general business, education and local government were the sectors with the most reported data breaches (the figures exclude the health sector).

A rise in data breach awareness

The stats indicate that more and more people are becoming aware of their data protection rights. This makes sense as there have been many high-profile data protection scandals over the last few months.

With strict new penalties for data breaches, this rise in data protection complaints should be taken as a stark warning for any business that hasn’t yet but adequate data security policies and processes in place.

The GDPR requires any company that suffers a data breach to notify its users within 72 hours of first being discovered, and, according to the ICO, there has also been a 30% rise in self-reporting. Find out more about data breach reporting and what your business needs to know.

Commenting on the changes since the introduction of the GDPR, a spokeswoman for the ICO said: “It’s early days and we will collate, analyse and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organisations.

“Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too.”

What can you do to protect your organisation?

When you’re running a business, the last thing you want to think about is the possibility of things going wrong. But the right preparation won’t just reduce the likelihood of data breaches occurring; it will also limit the fallout should the worst happen.

At Hayes Connor Law, we have all the expertise and experience needed to reduce your exposure to risk. Helping you meet your data protection requirements, and keeping you safe from breaches, we ensure your policies and procedures are compliant.

If a breach has already happened, we can also help you to put forward a robust defence and stop the situation from escalating.

CONTACT US TO FIND OUT MORE ABOUT HOW WE CAN HELP YOU.

What businesses need to learn following the Equifax data breach

The investigation by the Financial Conduct Authority (FCA) into the Equifax data hack is now drawing to a close. The investigation came after Equifax failed to fix a security flaw in one of its online systems. This resulted in hackers accessing the personal details of millions of people in the UK and US.

Following the data breach, there are some vital lessons businesses across the UK need to learn to ensure they don’t meet a similar fate.

Cybercrime is increasing. So you have to protect your business

UK businesses are not doing enough to prevent cyber-attacks. Often because they don’t think it will happen to them. But, according to figures published by the government, the UK’s 5.4 million small businesses are collectively attacked more than seven million times a year. What’s more, cybercrime costs the UK economy a whopping £5.26bn[1] with around 66% of small businesses have been a victim of cybercrime in the last two years.

Over the last few years, mobile phone networks, tech firms, retailers and banks have all hit the headlines due to criminal activity that led to data security breaches. In many cases, these offences were made possible due to poor IT and data management practices. And, if you are found to be responsible, under GDPR, depending on the size and scope of the breach, you could be liable for millions of pounds in compensation.

The good news is, if you are aware of the dangers facing you, there are some simple steps you can take to prevent attacks.

You must review your data and security processes

Review the personal and sensitive data you hold, and all the steps involved in processing it. Once you know what you are dealing with, you can then document the controls you have in place and evaluate any potential risks.

By undertaking a review, it should be easy to see where improvements need to be made to comply with regulations and industry standards. You should also consider training to ensure your staff are aware of how important data protection is. Particularly as, according to the Information Commissioner’s Office (ICO), accidental disclosure or human error is a leading cause of personal data breaches.

If your business does become the victim of a cyber-attack, you will be held accountable for any failures in your processes and systems. So the more you can do to show that you take your data protection responsibilities seriously the better.

You could be liable for data breach compensation as well as fines

The Equifax fine is expected to be significant. But while fines are intended to ensure businesses do more to uphold their obligations, this isn’t the only financial penalty companies face. For example, with millions of people affected by the breach, Equifax is also facing a group-action compensation claim.

So, while you might think the cost of ensuring your business keeps your data safe is too high, the financial impact of not doing anything could be devastating.

Robust reporting mechanisms are crucial

While the Equifax data hack was a massive blow to the company, the decision not to report the cyber raid immediately only made matters worse.

In fact, not only did Equifax fail to come clean straight away about the scale of the breach, but a former Equifax executive also sold his shares in the company before the news of the hack went public. Earning roughly $1 million in the process, the executive was set to profit at the expense of millions of customers. He has since been charged with insider trading, but his actions don’t reflect well on the business.

Early reporting is now mandatory under the GDPR, (not later than 72 hours after discovering the breach) and not doing so will only make matters worse. However, businesses don’t have to self-report data breaches to the ICO unless the violation “is unlikely to result in a risk to the rights and freedoms of natural persons”. But how can you establish what type of breach is unlikely to result in such a risk and keep on the right side of the law?

At Hayes Connor Law, as well as advising you on when to report and when not to report, we can also help you to establish compliant processes for responding to data breaches made against your business.

Find out more about data breach reporting.

Expert advice is vital before a breach occurs

Don’t leave it until a breach occurs to protect your business. At Hayes Connor Law, we help companies, in-house legal teams and other organisations to meet their data protection obligations. Providing advice and support on compliance, data breaches, defamation and cybercrime we have all the expertise and experience you need to reduce your exposure to risk.

Leading our field when it comes to understanding this often complex area of law, our expert, pragmatic legal advice ensures the highest quality outcome – both in terms of results and service delivered.

Find out more about our data breach defence services.

Expert advice is vital if you are the victim of cybercrime

Prevention is better than cure, but where a data breach does occur, how you respond to it could impact any action taken against you by the ICO or any other regulatory bodies.

If a data breach has occurred at your organisation because of a cyber-attack, Hayes Connor Law can help you put forward a robust legal response and defence. Ultimately, we help you come out of any crisis with your reputation, business and financial status intact.

We have considerable expertise and experience in dealing with the Information Commissioner Office (ICO) investigations, group actions and private claims, and can help you to avoid severe penalties such as substantial fines. In many cases, where a breach has occurred that was your fault, we can secure an out-of-court settlement in any compensation claims to resolve the matter as quickly and cost-effectively as possible.

Counselling clients to ensure appropriate incident management, everything we do helps to mitigate your legal liability as much as possible.

Find out more about our cybercrime defence services.

Drawing on over 50 years of experience in the claims sector, we put your best interests at the heart of everything we do. Our process is fully compliant with ICO guidance, and we never put your details at risk.

We also remove the jargon from the process and make sure you always know what’s happening with your case.

For bespoke advice that is cost-effective, confidential, and appropriate to your business, contact us today.

 


[1] Federation of Small Businesses