Professional service firms of all shapes and sizes rely on the trust that our clients place in us to keep their affairs (and thus their data) secure. Accounting firms are at high risk of targeted data attacks due to the large volumes of sensitive and valuable personal data they process; this makes accounting firms prime targets for data thieves. Sometimes, however, the greatest threat to data security comes from our ‘always connected’ workforce. There are more and more opportunities for data slip ups when the security of personal data is accidentally allowed to slide.
What is a personal data breach?
A personal data breach is the accidental or unauthorised loss, alteration, access or disclosure of personal data. In addition to deliberate external attacks (such as phishing attacks and ransomware), data breaches also may include accidental loss of papers, misaddressed emails, the wrong attachments or emails which should be “Bcc’d” but are instead sent “reply to all”. In other words, one of the most useful tools for business can also present significant risk.
Notification to the data regulator (the ICO in the UK) is mandatory unless the data breach is unlikely to result in a risk to those people who can be identified from the personal data Involved in the breach (the “data subjects”). The data subjects themselves need to be informed of the breach without undue delay where there is a high risk to their rights and freedoms.
So what’s at risk from a data breach?
The GDPR places significant emphasis on the obligation to take appropriate measures to keep data safe and secure. Where appropriate security measures aren’t taken, and a data breach occurs, the relevant data controllers (and even the individuals responsible) face prosecution by the data regulator.
Maximum fines of up to the higher of €10 million or 2% of annual worldwide turnover are possible. Even though fines of this magnitude are likely to be reserved for systematic breaches where insufficient attention was paid to known risks, nonetheless:
- data breaches tend to be magnet for negative public exposure; the juicer the breach, the more likely the media will run the story;
- client relations can also take a hammering. No client likes to be on the receiving end of a call from their accountant telling them that the security of their personal data has been compromised;
- other regulators such as the FRC and the ICAEW may also investigate.
Action stations! What to do when a data breach occurs.
Time is of the essence; there is a strict 72 hour timeframe for reporting breaches to the data regulator(s) across Europe (where required). The impact is mitigated the quicker the response to a data breach is coordinated (an incident response policy will assist with this):
- There should be an Incident Response Team established and trained to be ready.
- Once notified of a security incident, its function is to contain the incident, assess the risk to individuals, and determine what legal or regulatory notifications are necessary. Preventative actions for the future can also be initiated.
- For example, when an email account has been attacked you may need to appoint document review specialists to review the compromised personal data, the location of the data subjects, and the type of threat posed to them.
- If the breach is serious enough, make sure you keep in control of “telling the story”. Don’t let your client find out about a breach affecting their data from anybody other than you!
- Should the police or special IT fraud bodies be notified? Do the terms of the firm’s insurance policy require the insurer to be told of the breach? How about counter-parties to service agreements? It’s not uncommon for service agreements to require one party to notify the other about data breaches.
- All data breaches (whether they are notifiable or not) need to be recorded in your firm’s data breach log comprising the facts relating to the breach, its effects and the remedial action taken.
Prevention is better than the cure
As with protecting a property from fire or protecting our bodies from a serious illness; prevention is better than remediation. Being prepared for an eventual data breach is far better than a panicked response after the fact. Firms should conduct an assessment of risks and make sure that preventative measures are in place. These would include:
- Putting in place measures to prevent the most common accidental disclosures by your staff. What is your firm’s policy when an email is sent to the wrong recipient? Do staff know how to password protect sensitive data being sent by email? Do you discourage or prohibit hardcopies of personal data being taken home of an evening rather than being accessed from home through a secure IT system?
- Investing in readily available state of the art technology (such as software which checks the addressee of an email), maintaining a list of approved BYO devices and installing software on them, obtaining certifications such as Cyber Essentials Plus, and conducting regular IT security testing.
- Providing essential data protection training for all staff, regardless of employment status, and subjecting them to contractual obligations not to misuse personal data. Your training and guidance should be extensive and deal with the basics: spotting phishing, copying email recipients, BYOD or CYOD policies, explaining how IT use is monitored, and (most importantly) ensuring that staff of all levels understand that they must report breaches immediately rather than trying to fix the problem themselves.
Mistakes happen; it’s a fallacy to think that the risk of security breaches can be completely eradicated from a business. What’s important is that your firm is able to demonstrate to a regulator that there were appropriate safeguards in place to identify, contain and respond to data breaches and to prevent future breaches by learning from the mistakes of the past.
This guest article was written by Ellen Temperton, partner and co-head of Data and Privacy Practice at law firm Lewis Silkin.