A data breach can be devastating—ruining a company financially and permanently damaging its reputation with customers. As a director or officer at your company, you face litigation risks and costly noncompliance consequences under the GDPR based on the decisions you make following a breach and on how you influence cyber-security policies, as these are often considered board-level issues.
If a suit is filed against you after a data breach occurs, based on your position as a board member, you may not be protected by your cyber-liability policy. Your best source of protection is from your directors’ and officers’ (D&O) policy—as long as your policy is tailored to include protection after a data breach.
Data Breach Threats
The biggest threat from a data breach is loss of information, whether it is information regarding your company’s finances or the personal identification information of your customers, such as National Insurance numbers or credit card data.
Losing sensitive information belonging to your customers or your company can ruin your reputation. If the credit card data of your customers is stolen, your customers would need to cancel their cards and get new ones—an inconvenient process that can damage your company’s public image.
Data Breach Response
Following a data breach, you may be legally required to notify certain organisations about it. For example, depending on the type of company you run, you may need to notify the Information Commissioner’s Office (ICO) of any personal data breaches within 72 hours of becoming aware of the breach. Failure to comply with the requirement to submit breach notifications can result in a hefty fine.
Notification should be taken very seriously, as the way a company responds to a data breach can lead to exposure and legal action from customers and regulatory authorities if it is done poorly—the ICO has the power to issue significant monetary penalty notices under the GDPR.
Data Breaches and D&O Cover
Insufficient cyber-security that leaves your company vulnerable to a data breach can be seen by your customers or shareholders as negligence or a breach of duty. Your customers and shareholders may seek to hold you responsible for the damage, as the board is responsible for making decisions on behalf of the company. What’s more, you could be found liable under the GDPR for the breach. Because of this, you need protection in the form of a D&O policy.
In past legal cases following a data breach, directors and officers have been accused of:
- Failing to take reasonable steps to protect customers’ personal and financial information
- Failing to implement controls to detect and prevent a data breach
- Failing to report a breach in a timely manner
A cyber-liability policy cannot offer the legal protection needed by directors and officers after a data breach, whereas a D&O policy can.
A D&O policy provides cover for a ‘wrongful act’, such as an actual or alleged error, omission, misleading statement, act of neglect or breach of duty.
Cyber-security Is Vital
Cyber-security is rapidly becoming a vital aspect of responsible business management and customer service, and a company’s directors and officers are expected to be involved in and knowledgeable about the company’s cyber-security.
Ensuring your company has suitable and trustworthy cyber-security is paramount. If you determine your cyber-security may not be sufficient, you should take steps to improve it. The following are some techniques to strengthen your company’s cyber-security:
- Install a firewall. Companies with five or more computers should consider buying a network firewall to protect the network from being hacked.
- Install security software. Anti-virus, anti-malware and anti-spyware should be installed on every computer in the network. All software should be up-to-date.
- Encrypt your data. All data, whether stored on a tablet, flash drive or laptop, should be encrypted.
- Use a virtual private network (VPN). A VPN allows employees to connect to the company’s network remotely without the need of a remote-access server. VPNs use advanced encryption and authentication protocols, providing a high level of security for your network.
- Develop a cyber-incident response plan. Have a plan in place so that when—not if—you experience a data breach, you can act quickly and minimise your loss.
The content of this Management File is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2014 Zywave, Inc. All rights reserved