data loss: derelication of duties?

02/05/2023 1

Data Loss: dereliction of duties?

Tim [email protected]

Tim Musson, Computer Law Training Ltd, © 2015

02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015

What sort of data matters?

We can lose:–Personal data/Personally identifiable

information (PII)– Intellectual property–Confidential information

2


Personal Data

• In July 2015 Andrew Skelton, a senior internal auditor at Morrisons, was sentenced to 8 years.

• He was accused of using a computer to gain unauthorised access to a programme or data with the intent to commit fraud, knowingly or recklessly disclosing personal data, and conspiring to commit fraud by abusing his position.

3


Personal Data

• Skelton sent information about staff salaries, bank details and National Insurance numbers to several newspapers and posted it on data sharing websites – nearly 100,000 records

• Hopefully the criminal nature of Skelton’s actions is clear

• What about Morrisons?

4


Personal Data

Data Protection Act (Schedule 1, part 1):• Appropriate technical and organisational

measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

5


On the JMW website (www.jmw.co.uk):

• “Whenever employers are given personal details of their staff, they have a duty to look after them.”

• “My clients' position is that Morrisons failed to prevent a data leak which exposed tens of thousands of its employees to the very real risk of identity theft and potential loss.”

6


Morrisons

• Whatever the outcome of the Morrisons case, there will be very bad publicity … and it could be very expensive

7


GDPR: Chapter 4, Section 2, Data Security Article 30 Security of processing

1. Having regard to available technology and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risk for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, such as pseudonymisation of personal data to ensure a level of security appropriate to the risk.

1a. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

8


GDPR: Chapter 4, Section 2, Data Security Article 30 Security of processing

2a. Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the requirements set out in paragraph 1.

2b. The controller and processor shall take steps to ensure that any person acting under the authority of the controller or the processor who has access to personal data shall not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

9


GDPR – other issues

Article 26: The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of this Regulation

10


GDPR – other issues

Article 31:• Compulsory notification of personal data

breaches – to regulator and data subjects• Within 72 hours of awareness• Exemption for encrypted data

11


GDPR - PenaltiesArticle 79:• Proposed fines of up to €100 million (or €1 million)

or 5% (or 2%) of global annual turnoverArticle 77:• Any person who has suffered material or

immaterial damage as a result of a processing operation which is not in compliance with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered

12


Intellectual Property

• Intellectual property under development or its underlying research may be at risk– Generally, if it’s stolen it’s stolen– Prosecution under the Computer Misuse Act may

be possible (but still too late)

13


Computer Misuse ActOffences:• Unauthorised access to computer material.• Unauthorised access with intent to commit or

facilitate commission of further offences.• Unauthorised acts with intent to impair, or

with recklessness as to impairing, operation of computer, etc.

• Making, supplying or obtaining articles for use in offence under section 1 or 3

14


Confidential Information

• Common law 'duty of confidence' applies where ‘private’ information is disclosed to another who is (or should be) aware of its confidential nature.

• Employees have an automatic duty to their employer to not knowingly misuse or wrongfully disclose their employer's confidential information.

• Negotiations• Client information

15



May be essential to a business:• Negotiations• Client information• Marketing plans• Strategy• Legal professional privilege (and other

professions)

16



• Confidentiality agreements and clauses in employment contracts can be useful– Can allow damages claims, but won’t shut the

stable door• Only allow access on a need to know basis

17


Other Compliance obligations

• PCIDSS

• Sarbanes-Oxley (for large American companies or with an American presence)

18


Do we actually know what valuable or sensitive data we possess?

19

data loss: derelication of duties?

Internet