Preparing for the worst – could your business defend claims for a data breach?

I had an interesting conversation with a HR Director last week on the group litigation issued against Morrisons by its employees for data breaches and I think the key points are worth sharing.

You may recall the disgruntled Morrisons employee who posted bank details and other personal information relating to over 10,000 fellow employees online. He is only a few months into his 8-year prison sentence for this outburst, but Morrisons is now facing group litigation from its staff under the Data Protection Act as a result of his actions.

Data breaches are not limited to employee data. The recent British Gas and TalkTalk customer data breaches highlight the potential for data breaches in any business that retains personal information relating to customers.

Ultimately, businesses are data controllers and are liable for individual claims for damage or distress suffered as a result of a data breach. The defence to those claims is to prove that all reasonable steps were taken to prevent the breach from happening in the first place.

This begs the question; how do businesses set about ensuring that they have done everything they can to prevent a cyber attack, a rogue employee or simple human error from creating a data breach?

Here are my top five tips:

1. Review your internal systems: Today’s digital world has increased the potential for data breaches, but equally there are many more options for safeguarding personal and commercially sensitive data. Your IT team or provider can present the options;

2. Update Data Protection policies: Combine this with educating staff who regularly handle customer and/or employee data on the repercussions of failing to adhere to company policy. This will be important for any disciplinary action required in the event of a serious of breach;

3. Audit third party contractors: Do you know how or where your payroll provider keeps your employee data secure? If the answer is no, you should arrange a meeting to discuss. If the data is held outside of the EU, there are specific obligations placed on data controllers. This applies to any third party that holds your employee or customer data;

4. Carry out a full data protection audit: You can instruct your advisors on how to manage this or have a look at the Information Commissioner guidance on how to run an effective audit. The audit report and recommendations could be your defence to claims if your business experiences a data breach;

5. Implement any recommendations from an audit: There can be no excuse for failing to address an area of risk that has been raised!

I would urge businesses to consider these points and take further action if there are any concerns about the risk of a breach. In areas such as this, the best approach is to expect the unexpected…

For further information, please contact Roisin Patton, senior associate in the employment team or call 0843 224 7936.