Data Breaches and Considerations for Employers
As technology evolves, cyber criminals are becoming increasingly sophisticated in their abilities to target organisations. Nevertheless, a cyber criminal’s greatest tool is arguably you. Whether an organisation is large, small or invests heavily in cybersecurity, that one person who fails to identify, for example a phishing email as illegitimate, can be the greatest chink in your armour.
It is important for employers to recognise the risk that every untrained employee poses to their network security and to implement at the very least a regime of regular data protection training for all employees. We can advise and assist on the necessary procedures that your business may be required to implement including data protection training and cyber security awareness.
A recent major data security breach
Ransomware group Clop recently claimed responsibility for a cyber-attack that targeted a vulnerability in Progress Software’s MOVEit Transfer product.
This impacted Zellis, a UK HR solutions and payroll company, affecting many of its own customers including Aer Lingus, British Airways, Boots and the BBC. It is understood that personal employee data was affected including dates of birth, names and national insurance numbers.
You can read Progress’ recommended remediation steps on the Progress Community website.
What to do if your company suffers a personal data breach
If you are a UK company and suffer a personal data breach you may be required to report the breach to the Information Commissioner’s Office (ICO).
A personal data breach as defined by the ICO is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.
If a data breach is likely to present a risk to the rights and freedoms of individuals, you are required to notify the ICO. Personal data breaches could not only affect your customers but could cause reputational damage and result in significant financial loss.
You must also consider whether you are required to notify your customers and anyone else who might be affected, depending on whether the incident has, or is likely to have a significant impact including the data controller if you are the data processor (this depends on the severity of the breach and what your contractual obligations are).
You can access the ICO’s self-assessment tool to help assess if your company should report to the ICO.
The ICO must be notified as soon as is reasonably possible and in any event within 24 hours of becoming aware of the breach. Where customers are likely to be adversely affected, they too must be notified without undue delay.
The ICO’s powers include issuing penalty notices, enforcement notices, information notices and inspection powers.
Protect your business from data protection breaches
With well thought out and clear risk management and data protection strategies, your company can train and make staff aware of how best to avoid a data breach and what to do should the worst happen.
If you have concerns about GDPR and data protection risk management, our specialist data protection lawyers can assist you. Contact us for more information or give us a call on 01202 525333 to speak to a specialist.
About the authors
Our team of data protection solicitors have a wealth of experience and expertise in all areas of data protection and GDPR law, successfully handling a wide range of cases on behalf of clients and businesses of all shapes and sizes.
Diane Pearce is a Senior Associate Solicitor who is passionate about business and has expertise in advising on data protection and privacy issues.
Dayne Rodrigues is a Trainee Solicitor who specialises in finding creative solutions to complex problems with experience in data protection, employment law, and more.
How can we help?
When you submit this form an email will be sent to the relevant department who will contact you within 48 hours. If you require urgent advice please call 01202 525333.