Data breaches have always attracted considerable media attention. This will only continue now that the GDPR is in force, imposing additional obligations on companies and expanding the territorial scope of data protection law and its application. The net result is that a greater number of companies must now comply with EU data protection laws, with the possibility of tougher regulatory action and sanctions as well as civil litigation if they get it wrong.
Individuals are also becoming more aware of the issues and of their rights. They are increasingly taking an interest in how their data is being used and protected, fuelled by the GDPR as well as antipathy towards large online companies, the increasing monetization of data and reports of profiling and harvesting of personal data for political and other ends.
When reporting data breach allegations, the media may not always get it right. Where false and defamatory allegations are published (and/or then republished) about a company, it might have a legal claim for defamation with the possibility of recovering damages and an apology or clarification.
Correcting false allegations made in the media is important to protect a company's long term reputation. Legal pressure can be applied prior to publication of defamatory allegations to try to stop the story, reduce the severity of the allegation published or to help put the company's side of the story across in the article. The best opportunity to influence a story is before publication although time (usually due to short deadlines given by enquiring journalists) is very much of the essence.
Similarly, where the breach relates to a company's confidential information, there might be scope to prevent the information (although not the fact of the breach) being published.
If a business wants to get ahead of a data breach story, it should:
Where a foreign website based in a jurisdiction which is unlikely to recognise your legal arguments publishes private, confidential or defamatory information, or illegally processes data, it might be possible (following Cartier v BT) to seek a blocking injunction in the UK courts to prevent the UK public accessing such sites. However, this is as yet untested.
Correcting the public record is essential because information in the public domain may become the basis for further inquiries, for example, by government watchdogs and regulators who have the power to summon witnesses to attend before them for questioning.
As has been seen recently by the inquiry into 'fake news' by the Digital, Culture, Media and Sport Committee in the UK, questions can be asked about allegations under the protection of parliamentary privilege allowing the media to republish or broadcast allegations discussed in those proceedings without fear of legal action, often shortly after the session itself has taken place.
The press and the public may attend these sessions, which are recorded, with transcripts made available, and broadcast live online to the world, increasing the pressure on those being questioned who are often protecting their own or their company's reputation in real time during the questioning. Preparation for these sessions is essential, especially as this type of appearance is a widely used, free and privileged source for further media coverage.
Cyberattacks are increasing and data-rich companies are key targets. An attacker might steal data and other information, through hacking. Increasingly, attackers then try to blackmail the company by demanding money in return for agreeing to give back the stolen data and not publish it online or sell it to competitors. But suppose that the company being blackmailed does not want to pay up, causing a potentially massive risk to its reputation if data and information is then leaked online?
In two 2018 cases, Clarkson Plc v Person or Persons Unknown and PML v Person(s) Unknown, an unknown hacker gained access to and stole confidential information from the companies' IT systems, threatening publication unless a ransom was paid. Both companies applied to the court for interim injunctions to restrain publication in breach of confidence. If the threat of publication is carried through by the attacker, such an order can be used to make online publishers (for example, Twitter, blogs, financial forums or document hosting sites) aware that what has been posted on their site by the hacker is confidential and has taken place in breach of a court order, procuring its removal (as happened in PML).
In some cases, it might be that a company is obliged to report a cyberattack to the market under the Listing Rules, which is then picked up and reported on by the media, as happened in Clarkson. If such a report is to be made, communications and media law advice should be taken prior to publication in order to prepare for any media follow up (with enquiries funnelled only to those authorised to brief journalists) and any further statements. Coverage should be monitored for any inaccuracies which require correcting. In such a case, taking public legal action will have little reputational down side, as details will be in the public domain already. However, it may be that a company which is a victim of blackmail can take action through the courts under the protection of anonymity, thereby potentially preventing it from being named in the media in any coverage of the court case (as happened in PML). See our article for more about this type of injunction.
As civil actions in cyberattack cases often run parallel to criminal investigations by the Police, it is important that companies are aware of the fact that details about such cases and their staff involved may come into the public domain as a result of any Police press release, or via any criminal case brought against a hacker. Information disclosed via public court proceedings, detaining of witnesses and what they say, will be reportable by the media (under the protection of privilege, with regards to defamatory allegations aired in court). A company should therefore take advice before any disclosures (and before any court appearance by the defendant) on whether an application for reporting restrictions can be made and what it can cover to protect the privacy of those involved or confidential information belonging to the company.
The GDPR enhances and creates new rights for data subjects (customers, employees etc.) allowing them to better control the use of their data including, broadly, the right to be informed, not to be subject to certain kinds of profiling and rights of access, rectification, restriction, erasure, objection and portability. Failing to comply with these rights, on an individual or mass basis, has the potential to create adverse coverage which is damaging to a company's reputation or result in high-profile costly litigation.
There are a number of routes to the press for stories about alleged failures to comply with data subject rights:
Post GDPR, actions brought collectively by a large number of data subjects, whose rights have been breached by a company, via Group Litigation Orders, are likely to increase. This is because the cost of such litigation can be pooled and evidence, knowledge and litigation risk shared. The recent case of Various Claimants v WM Morrisons Supermarket PLC (and its appeal) is a prime example (which followed the criminal trial of an employee involved in unlawfully processing the employee data concerned). In this case, 5,518 employees/former employees sued for breach of the Data Protection Act 1998, as well as misuse of private information and breach of confidence. The Judge held that Morrisons was vicariously liable for the actions of its employee. The Court of Appeal upheld the decision on appeal. This decision can only widen the risk for corporate data controllers post GDPR, subject to the specific facts of the case.
A civil claim for damages by, for example, 10,000 data subjects for £1,000 each could, if successful, have a major financial impact (in terms of costs and damages pay outs) as well as a reputational one. Companies should approach and manage data litigation (as with any public litigation) carefully and obtain appropriate specialist advice as this will help manage corporate reputation.
Regulatory access can also have a damaging impact on a company's reputation. Under the GDPR, data controllers are required to report a data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects. If a notification is made after the 72 hour period has expired, the data controller must explain the reasons for the delay. It has been suggested that the point at which the data controller becomes aware of a breach is when the controller has a reasonable degree of certainty that a security incident leading to a personal data breach has taken place. This means there may be a short period of investigation during which the controller is not regarded as being aware and before the clock starts ticking. It is during this period that a company should be establishing the facts and details of the breach (which can take time) and taking advice on protecting its reputation. This is particularly so as it is possible that the Regulator will publish a statement confirming the fact of such a report and details of the breach.
Where a data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller must communicate the breach to the data subject without undue delay – which means as soon as possible – or they may be required to do so later by the relevant authority. Although this is a higher threshold to meet than the one requiring a report to an authority, once a breach is reported to data subjects, the fact of the breach and its details have arguably entered the public domain. It is also more likely that the breach will come to the attention of the media (as sourced by an angry data subject), triggering enquiries from a journalist (as discussed above). Notification decisions are, therefore, very important to protecting corporate reputation after a breach and advice should be taken on whether any of the exemptions to notifying data subjects apply:
Moreover, if the relevant authority commences a regulatory investigation into allegations that the company has breached data protection law, it is likely that a decision of that authority will be published at some point following the conclusion of the investigation, including details of failures and any sanctions levied. The publication of such decisions, or of an official press release summarising the details (including potentially defamatory allegations), findings and sanctions, will be reportable by the media.
Therefore, it is very important that a company obtains specialist representation when engaging with an authority investigating a company's alleged breaches of data protection law. Even better still, a company should take legal advice on compliance issues and obligations and technical advice on security arrangements to be able to prevent rather than cure a data breach.
If you have any questions on this article please contact us.
Are NDAs still an effective or realistic legal tool to use when settling disputes involving unproven allegations? If they can't be enforced, what are they worth?
1 de 4 Publications
The 'right to be forgotten' in the context of EU data protection law, is something of a misnomer; it is, in fact, a qualified right to the erasure of personal data. While it does not afford individuals with a blanket right to have their personal data erased or forgotten (except in relation to direct marketing), it is an essential weapon for individuals in the wider privacy arsenal.
3 de 4 Publications
Defamation and privacy law were the traditional bread and butter of English media law claims.
4 de 4 Publications