1 June 2021
Data breaches – 4 of 5 Insights
Michael Yates looks at information likely to come into the public domain about an ICO investigation into a data breach and how to reduce the risk of reputational damage.
Traditional forms of bad publicity following a data breach from angry customers, disclosures by cyber attackers or group litigation, are all too clear these days and we have previously written about these here. But what about publications and communications by the regulator? They can be just as damaging, so is there any means of control?
Following a data breach, a data controller has to decide whether to notify the ICO within 72 hours of becoming aware of it pursuant to Article 33 of the UK GDPR. If the decision is to notify, in terms of crisis communications, this can be the first formal communication about a company's involvement in a data breach incident and can sometimes trigger an ICO investigation. The conduct and outcome of this investigation create a reputational risk for the data controller company.
Aside from the regulatory risks and potential fines, an ICO investigation can in itself become a source of reputational damage to a business. The ICO has a vast communications apparatus available to it and its methods of publication include:
These are all potential sources of reputation risk for data controllers under investigation by the ICO.
Announcements and decisions by the ICO about culpability for, or conduct of, a data breach incident are also reportable by the media under the protection of statutory qualified privilege, as long as this is done fairly and accurately. This means that the media can repeat whatever the ICO says without fear of a defamation action, and makes disclosures about incidents or investigations by the ICO and what it says about companies very important.
So is the ICO bound by any law or policies when it comes communications about investigations?
Section 132 of the Data Protection Act 2018 states that "a person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner" must not disclose information obtained by, or provided to it in the course of, or for the purposes of discharging its functions, that relates to an identified or identifiable individual or business, and that is not available to the public from other sources at the time of the disclosure, and has not previously been available to the public from other sources. It is an offence for a person to knowingly or recklessly disclose such information. This rule applies unless the disclosure is made with lawful authority, which is a large caveat.
Section 132(2) states that a disclosure is made with lawful authority only if and to the extent that it falls within one of six grounds in sub-paras (a) – (f), which state:
In addition to this statutory restraint, there is a corresponding ICO policy entitled the Communicating our Regulatory and Enforcement Activity Policy (2019) (Policy). It states:
"Communicating information about our work may include:
This sets out the broad remit of potential disclosures and publications which the ICO may make about the fact of an investigation (formal or informal), its progress and the outcome. However, making disclosures about the progress of an investigation appears to be tempered by the following:
"If our work to consider a particular matter or issue is not yet complete, there may be limits to how open and we can be without prejudicing our regulatory work. It is also important that organisations should feel confident they can discuss certain matters with us in confidence, where this is appropriate".
This suggests that if an investigation is incomplete, the ICO is likely to limit disclosure if it would prejudice an investigation or inhibit those being investigated from communicating. However, an ICO investigation can be a long process involving information which evolves over time, so at what stage of an investigation is a disclosure likely and what might be disclosed?
Several factors appear from the Policy regarding might be said by the ICO and at what stage of an ICO investigation.
From the Policy, confirmation from the ICO that it is involved in an investigation is likely, but on a reactive basis (ie in response to a journalist's enquiry). It states:
"Our default position is that there is generally likely to be a legitimate public interest in being open about the issues we are considering and the organisations involved. We would not typically provide a running commentary on our investigations or discuss our progress, but we would generally be content for it to be known that we were investigating a matter or incident with a commitment to share appropriate information about the outcome, once it is known".
What might be said? The Policy later states that, if asked about self-reported incidents and concerns reported to it, the ICO would typically confirm that it is looking into a particular matter about a named organisation, but would only provide basic information about the concern to avoid prejudicing the investigation. Therefore, if a case is at the investigation stage, then only reactive disclosure to those who ask seems likely, unless the investigation is of significant public interest. From a media perspective, that could mean that if a journalist approaches the ICO for comment about a case as part of an article they are preparing, the ICO may disclose the fact they are involved (which can be significant in itself) together with basic information.
Whether further information will be disclosed about the outcome of an ICO investigation then appears to depend on whether the investigation is formal or informal.
If it's formal, disclosure of the outcome is likely and the Policy states:
"By 'formal regulatory outcomes' we mean those where we serve or issue some form of notice, reprimand, recommendation or report following our regulatory work. Our default position is that we will publish (and, where appropriate, publicise) all formal regulatory work, including significant decisions and investigations, once the outcome is reached".
If it's informal, the ICO will make a decision on a case by case and acknowledges that there is a balance to be struck. The Policy makes it clear that "informal" in this context means an investigation that does not result in serving formal notices, reports or decisions and where the ICO seeks to discuss, educate, negotiate or influence standards of information rights practice and compliance to promote good practice.
The Policy describes the following factors which might support disclosure, such as whether there is an opportunity to educate or prevent a breach of the law, the issue is new or ground-breaking, disclosure would not prejudice an investigation or be likely to deter others, the ICO's involvement is already in the public domain and whether there would be reputational risks to public confidence if the ICO did not publicise. Further details are on pages 3 and 4 of the Policy.
The Policy describes factors which might prevent disclosure, such as:
It also appears from the Policy that disclosures will depend on the action taken by the ICO, but examples in the Policy are vague, stating that cautions, warnings or reprimands "may be published if noteworthy or if it will help promote good practice or deter non-compliance". There remains a risk if no remedial action is taken as the Policy states that the ICO may publish or publicise information highlighting practice improvements in information rights after complaints and incidents are reported, which will include naming organisations "if the public interest warrants it". This may provide some comfort to organisations under investigation which may not be facing remedial action in relation to commonplace data compliance issues.
In short, if the ICO takes action, the ICO may publish information and that will involving naming and shaming the data controllers. The likelihood of this happening if they are given a warning, reprimand or caution appears to be lower.
The Policy states that, depending on how formal the regulatory activity is, and the type of information involved, it may be appropriate to inform, consult or seek the consent of the organisations named in its communication before publishing it. This is very important if any action is to be taken.
Despite the statutory restraint under the DPA 2018, the caveat and the Policy provide considerable scope for making disclosures across the ICO's broad communications apparatus, which can be very damaging to a data controller's reputation.
Recommendations for mitigating this reputation risk are:
To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber or Reputation Management & Privacy Protection teams.
Ed Hadcock looks at data audits and how they help reduce the risk of data breaches and regulator action.
1 of 5 Insights
Edward Spencer and Michael Yates look at the potential consequences of a data breach which affects a large number of claimants.
2 of 5 Insights
Jo Joyce looks at the vital role forensics can play in minimising the impact of a data breach.
3 of 5 Insights
Helen Farr and Edward Spencer look at the risk of deliberate data breaches by employees and at how to mitigate them.
5 of 5 Insights
Back to