Cyber Risk Legal Update - SEPTEMBER 2015
September 2015 Cyber Risk legal update
Cyber Insurance, Privacy and Data Security Newsletter
This month we turn our thoughts to the wider issues of data protection and privacy. Amongst all the recent publicity and regulatory scrutiny surrounding cyber risk, it is forgivable to fall into a trap of thinking that the risks of holding data relate solely to security.
Whilst the security breach often grabs the headline, such incidents often reveal breaches of wider data protection principles that then become the focus of regulatory scrutiny and civil claims. Indeed, there are many recent examples of organisations finding themselves in that exact situation.
Earlier this month, the case of an 87-year old man who was harassed for donations 731 times in five years demonstrates how data protection breaches can occur without security being an issue. The man had been bombarded by cold callers after failing to tick a "do not share my details" box in a lifestyle survey he filled out in 1994. The ICO criticised the organisations’ use of old data and vowed to investigate any malpractice. The incident highlights the need for organisations to monitor how long data has been held for and that it being held lawfully. In our view, there certainly appears to have at least been a breach of Principle 5 of the DPA.
The Vidal-Hall v Google litigation highlights the civil liability exposures to wider data protection breaches in the absence of any breach of security. The case concerns Google’s allegedly secret monitoring of internet users and the claimants’ allegations include Google’s breaches of Principles 1, 2, 6 and 7 of the DPA (only Principle 7 relates to security). As we reported last month, the litigation has spurred a potential £30m group litigation.
Even the much publicised hacking of Ashley Madison raises wider data protection breaches: the hackers revealed that the company held data including IP addresses and the individual's geolocation to the nearest 3 metres. Such location data may have been entirely unnecessary for the operation of the website.
The Ashley Madison breach also highlights the cross-jurisdictional nature of data breaches: the company is based in Toronto with website terms and conditions subject to Cypriot law. Ashley Madison may be subject to European data protection law if it controlled the processing of users’ data through an “establishment” in a European country, or through the “use of equipment” in a European country. It has been submitted that the meaning of “equipment” can be wide enough to include cookies or an app installed on a mobile device.
At the PLUS Cyber symposium in Chicago last week, we were struck by the increasing concerns expressed by US companies over EU data protection issues and the cross-jurisdictional reach of European law. Cases like Vidal-Hall and incidents such as Ashley Madison are highlighting the potential risks and liabilities that accompany the commercial benefits of the “big-data” age.
For more DAC Beachcroft cyber updates, please follow us on Twitter at @legallnutt and @hillegal1970.
For DAC Beachcroft privacy updates, please follow us on Twitter at @DACBprivacy.
Click any of the links below to read more ...
Click the below headings to read more on each of the developments...
ICO Enforcement Notices
EU Data Protection Regulation Developments
Updates from around the World...
For more information on DAC Beachcroft please contact:
Rhiannon Webster, Partner
+44 (0) 20 7894 6577
|Hans Allnutt, Partner
+44(0)20 7894 6925
|Rhiannon Webster, Partner
+44(0)20 7894 6577
|Patrick Hill, Partner
+44(0)20 7894 6930
|Helen Nuttall, Solicitor
+44(0)20 7894 6937
You might also like ...
October 2014 update
How many of us are annoyed on daily basis by the cookie banner pop up which has become a feature of our digital lives?
The honest answer is usually, "I don’t really care, but I will click anything just to get this annoying pop up off my screen"! For those who weren't following the legislative changes at the time, these pop-ups were a result of a change in law in 2009 when the European Parliament adopted an amendment to the ePrivacy Directive.