Cyber Risk Legal Update - June 2015
June 2015 Cyber Risk legal update
Cyber Insurance, Privacy and Data Security Newsletter
Whilst we are still reeling from the ground-breaking Vidal-Hall decision earlier this year, the ICO has also issued some interesting guidance and publications which have themselves progressed the interpretation of existing data protection law.
The ICO's guidance on the issue of monetary penalties ("fines" to you and me) is one such publication which reveals a great deal of information as to why it will issue monetary penalties. A copy can be found here. Risk management issues can be drawn from this guidance, some of which might be surprising. For example, the guidance indicates that fines are effectively means tested so that bigger companies will face higher fines. How companies respond to data breaches is also crucial to whether the ICO will issue fines and those companies who take immediate action to close vulnerabilities and offer compensation to affected parties will see the chances of a fine being issued reduced.
In May, the ICO also published the results from a pan-European study into what the public expect from data protection and the data protection authorities ("DPA") themselves. The report outlined a series of recommendations on how DPAs can be more effective in the management and protection of personal data. A copy can be found here.
Ultimately, the ICO found that there was no 'one size fits all' view; privacy is personal to the individual and what one person is content to share and on what basis differs from person to person. However, the ICO found that there were common themes in what the public want:
control over their data and to know that it is secure and protected;
transparency that allows the public to understand what personal data will be used for and why; and,
an ability to manage personal data, to access, amend or delete the information retained.
The results of this study will no doubt influence the ICO's future priorities in regulating data protection in the UK. Savvy companies will try and take these factors into account when conducting business in order to stay a few steps ahead of the regulatory machine. The "savvy-est" of companies will build their businesses with the public's demands on privacy in mind in order to differentiate to gain a competitive advantage. Just ask Tim Cook of Apple who earlier this month reportedly criticised his web rivals' business models that undermined user privacy.
Across the pond, we are reminded that privacy risks are not only restricted to companies with retail customers. Employee data can be a prized hacking target and a stark reminder came in the form of a cyber-attack on the US Government that reportedly resulting in the loss of up to 4 million current and former employees' personal financial data. If the US government can be breached, what makes any other company immune?
There has also been an interesting legal development in the US on the topic of insurance coverage for cyber risks under existing insurance policies. Thank you Charles A. Cowan of Drinker Biddle & Reath for this summary of the finding by the Connecticut Supreme Court. The judgment demonstrates the limits of trying to claim under existing insurance programmes for losses which might have been better served by a dedicated cyber insurance policy.
And finally, what would any cyber update be without a reference to the EU Data Protection Regulation? Well the breaking news is that the European Council has agreed its version of the wording so that the Parliament, Council and Commission can sit down together and begin to horse-trade their respective positions. Those talks start on 24 June with the incoming Luxembourg Presidency aiming to find a general approach in October to be finalised by the end of 2015. Don't hold your breath!
Click the below headings to read more on each of the developments...
New digital content provisions under the Consumer Rights Act 2015
ICO regards "legitimate interest" a potential ground for big data processing
New telematics guidelines at risk of falling behind advancing technology
EU Data Protection Regulation Developments
EU Parliament Published Timetable for Trialogue
Updates from around the World...
Ireland - Central Bank commences cyber security themed inspections
Russia - Russian Data Protection Authority given powers of audit
Italy - Public consultation on the internet of things
Lithuania - Lithuania updates its general data security requirements
Italy - Survey reveals Italian attitudes to online data privacy
Italy - Online marketing guidance issued by Italian DPA
Italy - Italian DPA issues handbook
Germany - Dissatisfaction expressed over leaked draft data retention law
South Korea - Amendments to standards of personal security measures issued
Argentina - Mobile app guidance issued for developers
Australia - Metadata can be personal information under Australian privacy laws
Peru - New data protection law published
- Singapore - Singapore issues update to advisory guidelines
For more information on DAC Beachcroft please contact:
Rhiannon Davies, Partner
+44 (0) 20 7894 6577
You might also like ...
Cyber Risk legal update | January 2016
Newsletter | Cyber Insurance, Privacy & Data Security
A milestone has been reached in the world of data protection law. After three years of detailed discussions political agreement has been reached between the European Commission, Council and Parliament on the final text of the General Data Protection Regulation (the GDPR).
The GDPR will replace the Data Protection Directive 95/46/EC and therefore the UK Data Protection Act 1998 and will be directly applicable in all Member States without the need for implementing legislation. The legislative process will be complete once the text is formally adopted by Council and Parliament, which expected in the coming months. The GDPR will come into effect two years from formal adoption and is therefore anticipated to take place in the first half of 2018. Further detail about the key features of the GDPR is provided here.