By Tim Hickman, Partner at Global law firm White & Case
As public attention is increasingly drawn to major cyber security incidents, such as the recent Travelex ransom ware attack, clear trends in data protection enforcement have begun to emerge. Financial services firms can learn from these enforcement trends in order to help reduce their own regulatory risks in this area.
Cyberattacks are a fact of life
The growing integration of technology into all areas of business have seen remarkable improvements in efficiency and productivity across a range of sectors – especially financial services. Transactions are now performed across digital networks at speeds and in volumes that would have been unthinkable just a few decades ago. However, as financial services firms have become increasingly dependent on networked systems, they have also become more exposed to the security risks that are inherent in those systems.
Networked systems cannot ever be completely secure. It is almost always possible for a sufficiently determined and well-resourced attacker to compromise a system, given enough time. Moreover, the threats in this space are continually evolving. Many security features that were state-of-the-art just a few years ago can now be overcome with relative ease, using tools that are readily available on the dark web. As a result, financial services firms need to be constantly vigilant against the changing landscape of cyber threats.
Keeping personal data safe
In addition to the obvious financial and reputational risks associated with cyberattacks, financial services firms involved –especially those involved in retail finance– also face increasing regulatory scrutiny from data protection authorities, due to the large volumes of personal data they process. The processing of personal data in the EU is governed by the General Data Protection Regulation (the “GDPR”) which imposes penalties of up to the greater of €20 million or 4% of worldwide turnover on firms that fail to process data lawfully. The GDPR also requires firms to notify the relevant regulator (which, in the UK, is the Information Commissioner’s Office (the “ICO”))) within 72 hours after becoming aware of a data breach. Moreover, where there is a risk of harm to affected individuals, then firms are also required to notify those individuals without undue delay. At the end of the Brexit transition period, the GDPR will cease to apply in the UK, but essentially the same requirements are set out in the Data Protection Act 2018. This means that these obligations will continue to affect financial services firms in the UK, even after the Brexit process has been completed.
Although the rules on data breach reporting are relatively clear in theory, they can be very difficult to implement in practice. Earlier this month, foreign exchange company Travelex was hit with a major cyberattack. It is reported that the attackers gained access to Travelex’s systems, and demanded a significant ransom to restore access to the affected data. In response, Travelex took its public website offline and its staff were forced to use manual systems. At the time of writing, more than three weeks later, the Travelex website remains offline. The business disruption caused by this attack is difficult to quantify at this stage, but regulatory scrutiny is only just beginning.
Knowing whether to report a data breach can be complicated. First, not every cyberattack is necessarily a data breach. A data breach only happens where there is destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a data breach can only happen in systems that include personal data. Systems that only record information that is not personal data (e.g., records of transactions between businesses) can obviously suffer cyberattacks, but because no personal data are involved, those attacks are not data breaches and are not reportable to the ICO. Even for systems that include personal data, an unsuccessful cyberattack (or a cyberattack that did not affect the personal data on the system) would generally not be a data breach and would not be reportable to the ICO.
Second, it is often very difficult to ascertain facts quickly. At the start of any cyberattack investigation, there is often only a suspicion that something has gone wrong – not necessarily a certainty that there has been a successful attack or that personal data were affected. But the 72-hour reporting window in the GDPR does not leave firms with much leeway. As a result, some firms decide to simply over-report, sending the ICO a notification of every suspected breach, in order to ensure that they meet the reporting deadline, even if they will in most cases file a subsequent follow-up notification informing the ICO that they have concluded that the breach did not meet the threshold for notification after all. This consumes significant resources, but ensures that the firm cannot be penalised for under-reporting.
On the other hand, the risk of over-reporting is that once a firm issues a data breach notification to the ICO, it is effectively admitting that it believes (at least for the moment) that it may have suffered a data breach. This can create significant PR challenges and can also lead to regulatory risks in other areas – especially for listed entities, which are typically subject to stricter reporting obligations. As a result, financial services firms need to be able make the right call when it comes to reporting a suspected data breach to the ICO.
Emerging trends in data breach reporting
Enforcement of the GDPR began on 25 May 2018. The first clear trend to emerge since that date is that although the GDPR provides potentially very large fines (as noted above) the deluge of major financial penalties that had been feared has yet to materialise. While penalties of under £1million remain reasonably common, there have only been two major enforcement actions announced, neither of which has yet been finalised. Large financial penalties are even scarcer in the rest of the EU – only France’s CNIL has issued a GDPR penalty of more than €10million. There are a number of reasons for the lack of appetite among data protection authorities for issuing major fines, but the greatest single reason is likely the threat of litigation. Firms are unlikely to litigate penalties of under £1million because the cost would outweigh the benefit. However, larger fines –especially those based on a percentage of turnover– are much more likely to be challenged in the courts, because there is more money on the table. This means that if a data protection authority wishes to issue a very large fine under the GDPR, it has to be confident that its reasoning is sufficiently sound, and its evidence is strong enough, to survive court scrutiny. This requires considerable investment by the data protection authority, and reduces the number of cases that are likely to be subject to such fines.
The second trend is that both of the ICO’s multi-million pound enforcement actions to date were in respect of large-scale data breaches involving payment card data of hundreds of thousands of individuals. Although it is difficult to draw firm conclusions from the small number of enforcement actions to date, the fact that the ICO chose to invest significant resources in investigating these breaches, and will likely have to invest even more in defending these enforcement decisions in court, appears to have been motivated in part by the potential for financial impact of those data breaches upon the affected individuals. Violations of the GDPR in other areas (e.g., unlawful data transfers; failure to provide appropriate processing notices; etc.) have received far lower penalties and much less scrutiny.
All financial services firms are potentially at risk of suffering a cyberattack. While the financial and PR consequences of any such attack can be serious, there are additional data protection consequences for any firm that suffers a cyberattack involving personal data. Based on enforcement trends since the start of GDPR enforcement, the likelihood of incurring a multi-million pound penalty for violation of the GDPR appears to be relatively low. However, those fines become significantly more likely for any firm that suffers a large-scale data breach involving financial data of individuals. As a result, financial services firms that handle any personal data need to pay special attention to ensuring that appropriate protections and compliance measures have been implemented on all systems that are used to process such data.