data loss: derelication of duties?
TRANSCRIPT
![Page 1: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/1.jpg)
02/05/2023 1
Data Loss: dereliction of duties?
Tim Musson, Computer Law Training Ltd, © 2015
![Page 2: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/2.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
What sort of data matters?
We can lose:–Personal data/Personally identifiable
information (PII)– Intellectual property–Confidential information
2
![Page 3: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/3.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Personal Data
• In July 2015 Andrew Skelton, a senior internal auditor at Morrisons, was sentenced to 8 years.
• He was accused of using a computer to gain unauthorised access to a programme or data with the intent to commit fraud, knowingly or recklessly disclosing personal data, and conspiring to commit fraud by abusing his position.
3
![Page 4: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/4.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Personal Data
• Skelton sent information about staff salaries, bank details and National Insurance numbers to several newspapers and posted it on data sharing websites – nearly 100,000 records
• Hopefully the criminal nature of Skelton’s actions is clear
• What about Morrisons?
4
![Page 5: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/5.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Personal Data
Data Protection Act (Schedule 1, part 1):• Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
5
![Page 6: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/6.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
On the JMW website (www.jmw.co.uk):
• “Whenever employers are given personal details of their staff, they have a duty to look after them.”
• “My clients' position is that Morrisons failed to prevent a data leak which exposed tens of thousands of its employees to the very real risk of identity theft and potential loss.”
6
![Page 7: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/7.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Morrisons
• Whatever the outcome of the Morrisons case, there will be very bad publicity … and it could be very expensive
7
![Page 8: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/8.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
GDPR: Chapter 4, Section 2, Data Security Article 30 Security of processing
1. Having regard to available technology and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risk for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, such as pseudonymisation of personal data to ensure a level of security appropriate to the risk.
1a. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
8
![Page 9: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/9.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
GDPR: Chapter 4, Section 2, Data Security Article 30 Security of processing
2a. Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the requirements set out in paragraph 1.
2b. The controller and processor shall take steps to ensure that any person acting under the authority of the controller or the processor who has access to personal data shall not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
9
![Page 10: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/10.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
GDPR – other issues
Article 26: The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of this Regulation
10
![Page 11: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/11.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
GDPR – other issues
Article 31:• Compulsory notification of personal data
breaches – to regulator and data subjects• Within 72 hours of awareness• Exemption for encrypted data
11
![Page 12: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/12.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
GDPR - PenaltiesArticle 79:• Proposed fines of up to €100 million (or €1 million)
or 5% (or 2%) of global annual turnoverArticle 77:• Any person who has suffered material or
immaterial damage as a result of a processing operation which is not in compliance with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered
12
![Page 13: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/13.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Intellectual Property
• Intellectual property under development or its underlying research may be at risk– Generally, if it’s stolen it’s stolen– Prosecution under the Computer Misuse Act may
be possible (but still too late)
13
![Page 14: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/14.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Computer Misuse ActOffences:• Unauthorised access to computer material.• Unauthorised access with intent to commit or
facilitate commission of further offences.• Unauthorised acts with intent to impair, or
with recklessness as to impairing, operation of computer, etc.
• Making, supplying or obtaining articles for use in offence under section 1 or 3
14
![Page 15: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/15.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Confidential Information
• Common law 'duty of confidence' applies where ‘private’ information is disclosed to another who is (or should be) aware of its confidential nature.
• Employees have an automatic duty to their employer to not knowingly misuse or wrongfully disclose their employer's confidential information.
• Negotiations• Client information
15
![Page 16: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/16.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Confidential Information
May be essential to a business:• Negotiations• Client information• Marketing plans• Strategy• Legal professional privilege (and other
professions)
16
![Page 17: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/17.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Confidential Information
• Confidentiality agreements and clauses in employment contracts can be useful– Can allow damages claims, but won’t shut the
stable door• Only allow access on a need to know basis
17
![Page 18: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/18.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Other Compliance obligations
• PCIDSS
• Sarbanes-Oxley (for large American companies or with an American presence)
18
![Page 19: Data Loss: Derelication of Duties?](https://reader035.vdocuments.mx/reader035/viewer/2022081900/58f1ca141a28ab48118b4617/html5/thumbnails/19.jpg)
02/05/2023 Tim Musson, Computer Law Training Ltd, © 2015
Do we actually know what valuable or sensitive data we possess?
19