Naming and shaming – how can an ICO investigation into a data breach damage your reputation?

Traditional forms of bad publicity following a data breach from angry customers, disclosures by cyber attackers or group litigation, are all too clear these days and we have previously written about these here. But what about publications and communications by the regulator? They can be just as damaging, so is there any means of control?

Following a data breach, a data controller has to decide whether to notify the ICO within 72 hours of becoming aware of it pursuant to Article 33 of the UK GDPR. If the decision is to notify, in terms of crisis communications, this can be the first formal communication about a company's involvement in a data breach incident and can sometimes trigger an ICO investigation. The conduct and outcome of this investigation create a reputational risk for the data controller company.

Aside from the regulatory risks and potential fines, an ICO investigation can in itself become a source of reputational damage to a business. The ICO has a vast communications apparatus available to it and its methods of publication include:

• journalists’ briefings
• news releases
• website and the internet
• Annual Report to Parliament
• e-newsletters
• blogs
• social media (eg Twitter)
• letters
• briefings to stakeholder groups
• special reports to Parliament on decision by the Commissioner
• thematic or 'improving practice' reports, and
• investigation updates.

These are all potential sources of reputation risk for data controllers under investigation by the ICO.

Announcements and decisions by the ICO about culpability for, or conduct of, a data breach incident are also reportable by the media under the protection of statutory qualified privilege, as long as this is done fairly and accurately. This means that the media can repeat whatever the ICO says without fear of a defamation action, and makes disclosures about incidents or investigations by the ICO and what it says about companies very important.

So is the ICO bound by any law or policies when it comes communications about investigations?

Law and policy

Section 132 of the Data Protection Act 2018 states that "a person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner" must not disclose information obtained by, or provided to it in the course of, or for the purposes of discharging its functions, that relates to an identified or identifiable individual or business, and that is not available to the public from other sources at the time of the disclosure, and has not previously been available to the public from other sources. It is an offence for a person to knowingly or recklessly disclose such information. This rule applies unless the disclosure is made with lawful authority, which is a large caveat.

Section 132(2) states that a disclosure is made with lawful authority only if and to the extent that it falls within one of six grounds in sub-paras (a) – (f), which state:

• the disclosure was made with the consent of the individual or of the person for the time being carrying on the business
• the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner)
• the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions
• the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation
• the disclosure was made for the purposes of criminal or civil proceedings, however arising, or
• having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.

In addition to this statutory restraint, there is a corresponding ICO policy entitled the Communicating our Regulatory and Enforcement Activity Policy (2019) (Policy). It states:

"Communicating information about our work may include:

• confirming we are investigating an issue or engaging with a particular organisation to discuss their current or future information rights practice and compliance;
• updating on the progress or outcome of our most formal regulatory work, which would typically result in a notice, report or decision being issued or served on a particular organisation and published on our website; or
• updating on the progress or outcome of our more informal investigations or information rights practice discussions".

This sets out the broad remit of potential disclosures and publications which the ICO may make about the fact of an investigation (formal or informal), its progress and the outcome. However, making disclosures about the progress of an investigation appears to be tempered by the following:

"If our work to consider a particular matter or issue is not yet complete, there may be limits to how open and we can be without prejudicing our regulatory work. It is also important that organisations should feel confident they can discuss certain matters with us in confidence, where this is appropriate".

This suggests that if an investigation is incomplete, the ICO is likely to limit disclosure if it would prejudice an investigation or inhibit those being investigated from communicating. However, an ICO investigation can be a long process involving information which evolves over time, so at what stage of an investigation is a disclosure likely and what might be disclosed?

What might be disclosed and when?

Several factors appear from the Policy regarding might be said by the ICO and at what stage of an ICO investigation.

Fact of an investigation

From the Policy, confirmation from the ICO that it is involved in an investigation is likely, but on a reactive basis (ie in response to a journalist's enquiry). It states:

"Our default position is that there is generally likely to be a legitimate public interest in being open about the issues we are considering and the organisations involved. We would not typically provide a running commentary on our investigations or discuss our progress, but we would generally be content for it to be known that we were investigating a matter or incident with a commitment to share appropriate information about the outcome, once it is known".

What might be said? The Policy later states that, if asked about self-reported incidents and concerns reported to it, the ICO would typically confirm that it is looking into a particular matter about a named organisation, but would only provide basic information about the concern to avoid prejudicing the investigation. Therefore, if a case is at the investigation stage, then only reactive disclosure to those who ask seems likely, unless the investigation is of significant public interest. From a media perspective, that could mean that if a journalist approaches the ICO for comment about a case as part of an article they are preparing, the ICO may disclose the fact they are involved (which can be significant in itself) together with basic information.

Progression and outcome of the investigation

Whether further information will be disclosed about the outcome of an ICO investigation then appears to depend on whether the investigation is formal or informal.

If it's formal, disclosure of the outcome is likely and the Policy states:

"By 'formal regulatory outcomes' we mean those where we serve or issue some form of notice, reprimand, recommendation or report following our regulatory work. Our default position is that we will publish (and, where appropriate, publicise) all formal regulatory work, including significant decisions and investigations, once the outcome is reached".

If it's informal, the ICO will make a decision on a case by case and acknowledges that there is a balance to be struck. The Policy makes it clear that "informal" in this context means an investigation that does not result in serving formal notices, reports or decisions and where the ICO seeks to discuss, educate, negotiate or influence standards of information rights practice and compliance to promote good practice.

The Policy describes the following factors which might support disclosure, such as whether there is an opportunity to educate or prevent a breach of the law, the issue is new or ground-breaking, disclosure would not prejudice an investigation or be likely to deter others, the ICO's involvement is already in the public domain and whether there would be reputational risks to public confidence if the ICO did not publicise. Further details are on pages 3 and 4 of the Policy.

The Policy describes factors which might prevent disclosure, such as:

• causing prejudice
• the investigation could be hindered by publicity or could come to nothing
• disclosure would include personal or highly commercially sensitive information, or
• if an organisation has a legitimate expectation that its contact with the ICO would not be published or publicised (for example under exceptional circumstances where an organisation has been given an express assurance by the ICO).

It also appears from the Policy that disclosures will depend on the action taken by the ICO, but examples in the Policy are vague, stating that cautions, warnings or reprimands "may be published if noteworthy or if it will help promote good practice or deter non-compliance". There remains a risk if no remedial action is taken as the Policy states that the ICO may publish or publicise information highlighting practice improvements in information rights after complaints and incidents are reported, which will include naming organisations "if the public interest warrants it". This may provide some comfort to organisations under investigation which may not be facing remedial action in relation to commonplace data compliance issues.

In short, if the ICO takes action, the ICO may publish information and that will involving naming and shaming the data controllers. The likelihood of this happening if they are given a warning, reprimand or caution appears to be lower.

If a disclosure is to be made about an investigation, will the ICO give any prior warning beforehand?

The Policy states that, depending on how formal the regulatory activity is, and the type of information involved, it may be appropriate to inform, consult or seek the consent of the organisations named in its communication before publishing it. This is very important if any action is to be taken.

What steps can be taken to mitigate the ICO becoming a reputation risk?

Despite the statutory restraint under the DPA 2018, the caveat and the Policy provide considerable scope for making disclosures across the ICO's broad communications apparatus, which can be very damaging to a data controller's reputation.

Recommendations for mitigating this reputation risk are:

• Undertake a data audit to ensure compliance to protect against the risk of investigation.
• Undertake data security compliance.
• If being investigated, take professional advice on managing the investigation.
• Those being investigated are encouraged to highlight confidential information being disclosed during the investigation so that the ICO must take that into account when deciding whether to publish information in the public interest.
• Maintain an open channel of communication to get ahead of publications and announcements by the ICO and request prior warning.
• Try and pre-empt publication and then use the factors in the Policy to try to persuade the ICO not to proceed or to mitigate what they say.
• Obtain reputation management advice regarding potential subsequent media reporting of ICO communications about the investigation.
• Consider preparing a reactive statement if regulatory action is taken (which could lead to disclosure) or in the event that customers publicise the matter and/or a journalist approaches the ICO for comment while investigating ahead of publishing a news story.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber or Reputation Management & Privacy Protection teams.