GDPR Update - hefty fines issued, but only for very serious cases
On 8th July, the UK’s data protection authority, the ICO, issued a notice of intention to fine British Airways a sum of £183 million relating to a cyber incident notified to it by the airline in September 2018. The incident involved user traffic to British Airway's website being diverted to a fraudulent site, allowing customer details to be harvested by attackers. Personal information, including credit card details, was compromised by poor security arrangements.
The following day, the ICO confirmed its intention to fine Marriott International £99 million, again relating to a cyber incident notified to it by the hotel chain in November 2018. This arose from a variety of personal data within 339 million guest records globally being exposed. The vulnerability arose in the systems of the Starwood hotels group in 2014, which Marriott then acquired in 2016, but did not discover until 2018. The ICO stated that its investigation found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems on acquisition. This signals a clear warning of the importance of proper due diligence when acquiring a business, not only to assess what personal data is being acquired, but how it is currently being protected.
These huge fines attracted headlines across the EU, but there is a need for perspective here. The ICO’s review of the first year of the GDPR makes very clear that GDPR compliance is not primarily about big fines and that the EU’s data protection authorities will continue to focus mainly on supporting organisations to comply with the law and providing advice to them.
For example, the review noted that of 14,000 personal data breach notifications received by the ICO from organisations, the ICO closed over 12,000 of those cases. Of these, only 17.5% required any action by the organisation and less than 0.5% of these led to either an improvement plan or a fine. An example was given of a nursery which had reported itself after producing Father's Day cards with photos of each child, to be taken home by the child in question. There had been two children at the nursery with the same name and somehow staff had mixed up the photos, each child taking home a card with a photo of the other child. The ICO noted dryly that not only was no action required but that the breach was not reportable, given it was unlikely that any individual's right or freedoms were impacted by the wrong photo being included.
In another case, where formal action was taken by the ICO, an organisation had disclosed personal data to incorrect recipients, arising from staff not following established policies and procedures. The ICO required that certain steps be taken by the employer, including that all staff attend mandatory training and that policies and procedures be complied with and reiterated to staff on a regular basis.
As for when the powers to issue a monetary penalty might be used, the ICO has made clear its commitment to target organisations and individuals suspected of repeated or wilful misconduct or serious failures. There will also be a focus on breaches involving highly sensitive information or adversely affecting large groups of individuals or those impacting vulnerable individuals.
As such, from a HR perspective, with it being apparent from the above that staff are often the weak link in personal data security, it is vital to minimise the sensitive information held where possible, to always ensure it is appropriate secured, and above all, to ensure that staff training is carried out to support a robust culture of data protection.
While it seems clear from this review that a pragmatic approach is being taken to the use of formal enforcement powers, there is of course no room for complacency. The review notes that the greater awareness of individual rights has inevitably seen a significant impact on the number of concerns raised by the public to the ICO. In the period from 25 May 2018 to 1 May 2019, their office received over 41,000 data protection concerns from members of the public, a huge increase from around 21,000 the previous year.
Of the concerns raised, 38% related to subject access requests, with this remaining the most frequent complaint category by far. The message seems to be that employers should assume that employees and other individuals are unlikely to hesitate in reporting issues if they believe their rights are not being complied with.
While the above decisions and comments relate specifically to the ICO in the UK, these have EU-wide relevance, as all national Data Protection Authorities across the EU are working to adopt similar approaches to GDPR compliance.
Managing A Data Breach
It’s a sad reality that some form of security or data breach, hopefully with limited consequences, is likely to be faced by most businesses at some time. So, are you clear about what to do if the worst happens?
Here are some practical suggestions on what to do after a breach:
Step 1 – understand what has happened
If you believe you have suffered a breach, the first thing to determine is what has actually occurred. For example:
If the breach is internal, promoting honesty in this situation is the best policy. Mistakes happen. Your IT team or external adviser will be much better equipped to deal with the situation if they have a clear idea of how the breach occurred and the route taken.
If the breach is outside of your organisation and direct control, perhaps where a third party holds your data, look to that organisation to provide exact details.
Step 2 – carry out an impact assessment
The next step is determining the impact of the breach. If credentials have been compromised, change passwords quickly, use strong passwords and enable multi-factor authentication if you have not already.
If you are staring at a ransom note, with encrypted files on your network, your likely only recourse is the restoration of backups.
Has any personal data been compromised? Your GDPR policy should already outline the steps to take if you do find customer data has been compromised. You will be obliged to notify the breach to your Controller (e.g. the RMC or other corporate client) and, depending on the level of risk, you may also have to report to your Data Protection Authority and to affected individuals.
Step 3 – respond quickly
Once you understand the impact and scale of the breach, urgent action is required to minimise the consequences.
Change authentication credentials and ensure strong password policies are in place. Enable multi-factor authentication on your own technology. If your data is held by a third-party, they too should make use of multi-factor authentication.
If you are in a data recovery situation, time is of the essence to minimise downtime and lost work. Your backup is a critical part of your cybersecurity policy, so ensure you have a system in place that takes regular “snapshots” of your data, with off-site or alternative cloud data storage.
In some cases, hackers will disable backups before encrypting files. Ensure your backup systems are protected with separate credentials, and ideally within a segregated network.
There are numerous products and services that can help reduce the risks of a breach: breach detection, regular penetration tests and vulnerability scanning, and of course, staff training.
According to the Ponemon Institute’s “2018 Cost of a Data Breach” Study, cyber breaches take an average of 197 days to be discovered. That is a frightening statistic!
Your Employees’ Rights To Privacy
A recent decision of the European Court of Human Rights (ECHR) considered the tricky balancing act between an employer’s rights to manage their business effectively and an employee’s privacy rights.
The basic facts were not in dispute:
Mr Garamukanwa had been in a relationship with a colleague, Ms Maclean. Shortly afterwards Ms Maclean raised concerns with her manager about emails Mr Garamukanwa had sent to her and other employees alleging she was having a relationship with another junior member of staff. The manager warned Mr Garamukanwa that his behaviour was inappropriate.
About 9 months later Mr Garamukanwa was suspended when the police informed the employer that they were investigating claims by Ms Maclean that he had been stalking and harassing her and sending anonymous malicious emails to other employees. After an investigation and disciplinary process Mr Garamukanwa was dismissed for gross misconduct. In coming to the decision to dismiss, the employer had relied heavily upon photographs that had been stored on Mr Garamukanwa's iPhone (that had been passed to them by the police) as well as emails and WhatsApp messages. Some of the emails were sent to colleagues' work email addresses. He had also provided the disciplinary panel with private communications between himself and Ms Maclean that were of an intimate nature.
Mr Garamukanwa unsuccessfully brought claims including unfair dismissal before his national courts. He argued that using the material on the iPhone was a breach of Article 8 of the European Convention on Human Rights - his right to privacy. Mr Garamukanwa said he had reasonably expected the material on his phone would remain private but the courts did not accept that.
He then brought proceedings in the ECHR, in Strasbourg, based on an argument that the domestic courts decisions upholding the dismissal had constituted a breach of his right to privacy. In the circumstances, the ECHR held that Mr Garamukanwa could not reasonably have expected that any of the material or communications before the disciplinary panel would remain private.
While this case came down in favour of the employer, businesses should still be cautions when it comes to relying on private material in a disciplinary process. Each case will turn on its own facts, and it is also clear from earlier ECHR cases (including the leading case of Barbulescu v Romania) that emails sent from an employer's computer could be covered by the concepts of private life and correspondence. Mr Garamukanwa's case shows the importance of putting an employee on notice at an early stage that allegations of misconduct have been made against them - the warning given to Mr Garamukanwa about his inappropriate behaviour was critical to the final decision in favour of the employer.
Is Your Key Employee a Future Competitor?
We all hope that we will never need to enforce a restrictive covenant (sometimes called “post-termination restrictions”) against a highly-valued, key employee. But all too frequently a good relationship turns sour when the employee starts thinking about moving on. It then becomes important to have legally enforceable restrictions in place, restricting the (former) employee’s ability to become your biggest competitor overnight.
These issues arose in the recent UK case of Argus Media v Halim.
Mr Mounir Halim set up a company, Afiqom FZ LLC, in the latter days of his employment with Argus Media. Both companies were Price Reporting Agencies, reporting on the same kind of products in the same market. Mr Halim had become unhappy in his work for Argus and took preparatory steps to set up his business prior to resigning from his employment. This included the transfer of a large amount of Argus documents to his iCloud account and seeking to consolidate his relationship with key Argus clients and contacts. While on garden leave Mr Halim undertook work for Afiqom.
In court, Argus sought to a) enforce post termination restrictions in Mr Halim's employment contract, b) prevent him from misusing its confidential information and c) deprive him of the "unlawful head-start" he obtained prior to the termination of his employment.
Mr Halim denied his business was in competition with Argus, argued the restrictions were too wide in scope and duration to be enforceable, that his steps to set up Afriqom were no more than legitimate preparatory steps and he had, in any event, been discharged from the restrictions because Argus breached his contract by reading personal emails in his work inbox.
The Court decided that Mr Halim's actions were in breach of his duty of fidelity and confidence and that he had breached his post termination restrictions.
The argument around the status of "private" emails was interesting. Mr Halim had signed up to an Electronic Information and Communications Policy which gave Argus the right to access and inspect without notice to the employee any materials created, sent, received or accessed using Argus's IT systems. Argus was also entitled to monitor or review the use of Argus IT systems to investigate breaches of contract. The Court found that the actions of Argus in reviewing the emails to be in line with their authority under the policy, and not an illegitimate interference with the Article 8 ECHR (European Convention on Human Rights) right to family and private life. The emails considered by Argus, although between him and his wife, were not personal conversations but related to his work.
A real sting in the tail for Mr Halim was a court order to pay 90% of his employer's legal bill. Argus had filed a costs budget of just over £688,000 meaning that Mr Halim may well be facing a bill of over half a million, not including his own legal fees.
This decision is good news for employers, but be aware that these cases assessing the enforceability of restrictive covenants always turn on their own particular facts. One takeaway from this case is the importance of good drafting of employment contracts and IT policies. The case also highlights the potential cost implications of taking a weak case to court!
No More Kylie Concerts For Corporate Clients!
Kylie Minogue and Beyoncé concerts will no longer be on offer to clients of global accountancy firm, BDO, after the firm handed back its box at the O2 concert arena in London amid growing scrutiny of corporate hospitality practices in the financial sector.
The wining and dining of existing and potential clients has been sharply curtailed after the UK’s audit watchdog introduced ethical standards that required firms not to give gifts or indulge in hospitality spending “unless trivial or inconsequential”.
The strict guidelines apply only to accountants’ audit clients, but BDO has taken the approach to restrict any spending that might “fail the smell test” for all its clients. The firm has set a maximum entertainment limit of £150 per head. Earlier this year, the Big Four accountancy firms were forced to disclose their maximum entertainment budgets for audit clients. PWC’s is the lowest at £20, while KPMG permits £200, EY £175 and Deloitte permits a spend of £150 per head.
One sure-fire method of avoiding any accusation of “excessive entertainment” is to confine your entertaining to low-profile, local events. For example, I would definitely be on the right side of the law if I took a client to see my local football team, Hibernian. On the other hand, the strong likelihood of dismal entertainment may cost me the client! I recommend that you stick with Kylie!!