Cyber Risk Legal Update - SEPTEMBER 2015
September 2015 Cyber Risk legal update
Cyber Insurance, Privacy and Data Security Newsletter
This month we turn our thoughts to the wider issues of data protection and privacy. Amongst all the recent publicity and regulatory scrutiny surrounding cyber risk, it is forgivable to fall into a trap of thinking that the risks of holding data relate solely to security.
Whilst the security breach often grabs the headline, such incidents often reveal breaches of wider data protection principles that then become the focus of regulatory scrutiny and civil claims. Indeed, there are many recent examples of organisations finding themselves in that exact situation.
Earlier this month, the case of an 87-year old man
who was harassed for donations 731 times in five years demonstrates how data protection breaches can occur without security being an issue. The man had been bombarded by cold callers after failing to tick a "do not share my details" box in a lifestyle survey he filled out in 1994. The ICO criticised the organisations’ use of old data and vowed to investigate any malpractice. The incident highlights the need for organisations to monitor how long data has been held for and that it being held lawfully. In our view, there certainly appears to have at least been a breach of Principle 5 of the DPA.
The Vidal-Hall v Google litigation highlights the civil liability exposures to wider data protection breaches in the absence of any breach of security. The case concerns Google’s allegedly secret monitoring of internet users and the claimants’ allegations include Google’s breaches of Principles 1, 2, 6 and 7 of the DPA (only Principle 7 relates to security). As we reported last month
, the litigation has spurred a potential £30m group litigation.
Even the much publicised hacking of Ashley Madison
raises wider data protection breaches: the hackers revealed that the company held data including IP addresses and the individual's geolocation to the nearest 3 metres. Such location data may have been entirely unnecessary for the operation of the website.
The Ashley Madison breach also highlights the cross-jurisdictional nature of data breaches: the company is based in Toronto with website terms and conditions subject to Cypriot law. Ashley Madison may be subject to European data protection law if it controlled the processing of users’ data through an “establishment” in a European country, or through the “use of equipment” in a European country. It has been submitted that the meaning of “equipment” can be wide enough to include cookies or an app installed on a mobile device.
At the PLUS Cyber symposium in Chicago last week, we were struck by the increasing concerns expressed by US companies over EU data protection issues and the cross-jurisdictional reach of European law. Cases like Vidal-Hall and incidents such as Ashley Madison are highlighting the potential risks and liabilities that accompany the commercial benefits of the “big-data” age.
For DAC Beachcroft privacy updates, please follow us on Twitter at @DACBprivacy.
Click any of the links below to read more ...
Click the below headings to read more on each of the developments...
EU Data Protection Regulation Developments
Updates from around the World...
For more information on DAC Beachcroft please contact:
You might also like ...
March 2015 Cyber Risk legal update
Information Security and Data Protection for Financial Services
On 2 March, I braved the snow, and crossed a picket line (PCS members working at the Information Commissioners Office chose the conference day to escalating their campaign of strike action for fair pay) to attend the annual ICO Conference in Manchester.