Out-Law News 5 min. read
02 Jun 2014, 11:32 am
Information law expert Diane Mullenex of Pinsent Masons, the law firm behind Out-Law.com, said that businesses are becoming much more aware of their need to protect consumers' personal data because of the implications for them should they suffer a data breach.
"At the end of the day it boils down to how much companies want their customers to trust in their services and the security of the data they provide for using those services," Mullenex said. "A data breach incident can seriously undermine a businesses' brand and their reputation in the eyes of consumers. Businesses know that if there is a lack of trust in their systems then consumers will drift to rival providers of which there is an increasing number because of the global nature of the internet."
Recently the UK's Information Commissioner Christopher Graham admitted that the reputational damage businesses can suffer if they fall victim to a data breach impacts on those companies harder than an order by a data protection authority to pay a fine over such an incident.
Paris-based Mullenex said Graham's admission was not surprising.
"The Information Commissioner can issue penalties of up to £500,000 for serious breaches of UK data protection laws," she said. "In France, the Commission nationale de l'informatique et des libertés (CNIL) can issue fines of up to €150,000 against first time offenders or up to €300,000 against businesses that have breached data protection laws on more than one occasion. For many organisations those size of fines are significant, but the costs of a data breach incident to a business can be far greater."
Mullenex said that businesses can incur costs in patching security vulnerabilities that are identified following a breach, from complying with administrative and regulatory requirements, in managing the notification of incidents to the public, setting up credit monitoring services for affected users and ultimately from a loss of customers.
The expert said that whilst many larger businesses are equipped to protect against data breaches and handle incidents when they occur, many smaller enterprises lack the means to install the same level of security measures to protect customer data.
She said that the increasing importance of privacy in the internet age and the potential damage to business brands should things go wrong had prompted an upsurge in the number of cyber crime and data loss insurance policies being taken out by businesses.
"Businesses are attracted to these insurance policies because, as well as often protecting against liabilities for civil penalties from regulators that may be issued following a data breach, they provide them with access to a network of experts to help them handle different challenges that are associated with such breaches," Mullenex said.
"For example, many of the insurance policies provide the policy holders with access to technical assistance for identifying and plugging vulnerabilities in their IT security, to help in managing engagement with customers affected by incidents and in protecting the impact such cases can have on their brand, as well as with access to expertise in handling litigation and compliance issues that arise," she said.
Mullenex said that the fear businesses have of the potential reputational damage to their business of perceived failings on privacy has been highlighted in a case involving internet giant Google in France.
Google was fined €150,000 by CNIL after the watchdog identified a number of serious breaches of the French Personal Data Protection Act by the company. CNIL also ordered Google to publish on its French website, for a period of 48 hours, a communication mentioning the sentences ordered by the CNIL as well as a link towards the watchdog's decision.
However, Google has appealed against the decision of CNIL to the French Council of State in order to obtain the suspension of the sentence ordered by the CNIL regarding the communication to be displayed on Google's home page.
In February, the Council of State dismissed Google's appeal and considered that the company had the ability, when displaying the communication, to inform its users of its disagreement with the fine enforced by the CNIL as well as its intent to challenge the watchdog's decision. Google had failed to show that its reputation would be irreversibly damaged if it was forced to publicise CNIL's concerns, it said.
"Google was far more concerned by its obligation to display on its homepage a communication related to the sanctions ruled by the CNIL against it, rather than by the €150,000 fine," Mullenex said. "Google claimed before the High Court that such communication displayed on its homepage would irreversibly deteriorate its reputation, as the damage suffered could not be repaired, even if the administrative judge were to rule in favour of the annulment of the CNIL’s decision in the future."
Mullenex said that although a new general data breach notification obligation is likely to be introduced for all organisations under new EU data protection laws that are being negotiated, many data breach incidents are kept private at the moment.
However, she said that data breaches involving telecoms companies are among the most likely incidents to come to the public's attention. This is because there are EU rules that require providers of publicly available electronic communications services to inform regulators and, in certain cases affected individuals, about personal data breaches they experience, she said. A recent case involving a telecoms business that came to light was a cyber attack effecting Orange France.
The general obligation on the telecoms businesses is for them to notify regulators within 24 hours of detecting such a breach and provide those authorities with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected. In certain cases where all the information is not immediately available, the companies can provide the missing details at a later date.
The telecoms businesses also generally have to notify individuals affected by a personal data breach "without undue delay" in cases where the breach is "likely to adversely affect the personal data or privacy" of those individuals. However, telecoms providers would be able to avoid having to notify individuals if they can show regulators to their satisfaction that the use of "technological protection measures" has rendered the breached data "unintelligible to any person who is not authorised to access it".
Mullenex said that in France, CNIL has issued guidance to help telecoms companies evaluate when they need to notify individuals affected by data breaches.
"There is sometimes a lapse in time between data breach incidents occurring and the public being made aware of them," Mullenex said. "This can often be explained by the fact that businesses will be awaiting a determination from a data protection authority on whether they must notify affected customers. Most businesses will be keen to avoid doing so because of the reputational damage publicity on the incidents can bring to their business, however, greater transparency on breaches is coming under the proposed new EU data protection regime."