Rebecca Toman and Caitlin Harris explore the series of high-profile cyber attacks targeting British organisations, most recently retail giant JD Sports Fashion Plc who announced in a statement to the London Stock Exchange on 30 January that they had been the target of a large-scale cyber incident. JD Sports reported that the attack has resulted in the unauthorised access of information relating to ‘approximately 10 million unique customers’ of JD Sports, Size? Millets, Blacks and Scotts.
Chief Financial Officer of JD Sports Neil Greenhalgh advised customers to ‘be vigilant about potential scam e-mails, calls and texts’ and confirmed that JD Sports are conducting a ‘full review of our cyber security in partnership with external specialists following this incident’.
This attack follows ransomware attacks against Royal Mail in January causing nationwide disruption, and The Guardian in December 2022. According to the UK National Cyber Security Centre (part of GCHQ), there were more than 60 ‘nationally significant’ attacks last year. It is as yet unclear how hackers obtained access to JD Sports’ systems.
Potential Liability
UK Information Commissioner’s Office (‘ICO’)
Under UK GDPR and the Data Protection Act 2018 (‘DPA 2018’), a series of obligations are placed on a Data Controller/Processor. If a failure to comply with data protection principles is found following an investigation, the ICO are capable of issuing two tiers of fines with higher maximum penalties of up to £17.5 million or 4% of total annual worldwide turnover in the preceding financial year, whichever is higher. The ability of the ICO to serve fines is set out in Article 83 UK GDPR.
The ICO issued five monetary penalty notices in 2022 and as set out in their Regulatory Approach for 2022-2025, the focus is on areas ‘where non-compliance could do the most harm’. In 2022, a British construction group were fined £4,400,000 for a failure to keep personal information of staff secure after the personal data of 113,000 employees was accessed by hackers through a phishing email]
Claims made by data subjects for breaches of UK GDPR / DPA 2018
A data subject whose personal data has been compromised due to a breach of UK GDPR obligations can bring a direct claim against a Data Controller and/or Processor. Liability arises under Article 82 of the UK GDPR to pay compensation for damage caused by processing. This damage can be material, monetary damage and/or non-material damage such as distress. Group litigation is often seen in these cases. However the Controller and/or or Processor are exempt if they can demonstrate they were in no way responsible for the event giving rise to the breach.
Contractual Liability
If a contract is in place which sets out the data protection obligations between the Data Subject and the Data Controller/Processor, or between a Controller and a Processor, an action for breach of contract may be brought.
Taking preventative action
While organisations in industries such as retail that hold large quantities of customer data are prime targets for hackers, any data processor should be aware of the risks and ramifications of a cyber attack.
Key preventative steps
- Ensuring data protection policies and best practices are robust and up to date – this is essential to protecting your customers and company.
- Engage third party companies to undertake penetration testing and similar.
- Educate the workforce about the risk of malware.
- Developing a comprehensive incident response plan which can be actioned in the event that your organisation is successfully targeted. Organisations should maintain a proactive and reactive plan which includes identification, response, reporting and adaptation to prevent future cases.
- For Data Subjects, vigilance and knowledge of your data rights is essential to keeping your information secure in an increasingly savvy digital world.
- The ICO’s guidance is that organisations should regularly ‘monitor for suspicious activity and investigate any initial warnings; update software and remove outdated or unused platforms; update policies and secure data management systems; provide regular staff training; and, encourage secure passwords and multi-factor authentication.’ The ICO Commissioner’s view is that ‘the biggest cyber risk is complacency, not hackers’.
Steps to regain control and protect your reputation after a cyber attack
Of course, preventing a cyber attack from ever successfully taking place is the best practice for all companies and cyber incidents like that suffered by JD Sports may serve as a wake-up call to organisations.
Nevertheless, should a cyber attack occur there are immediate steps to take where the security of personal data may have been compromised:
- Identify and close down the breach. This may require input from law enforcement, cyber experts and forensic experts. The National Cyber Security Centre can provide support and incident response assistance to mitigate harm. Ensure that all evidence is preserved.
- An incident in the UK must be immediately reported to the ICO as the Data Regulator (or within 72 hours of becoming aware of the data breach). If the breach has affected individuals in other countries, identify local laws and procedures in those jurisdictions. Identify what type of data has been accessed and to what extent. Identify any other obligations, for example there are specific reporting requirements for financial and essential services. Identify any contractual obligations which require you to report to third parties.
- The ICO reminds organisations of its advice not to pay a ransom in cases of a cyber attack involving ransomware as doing so does not reduce the risk to individuals.
- Clear and effective communication with Data Subjects (who are potentially at risk) and stakeholders is essential to protecting the reputation of an organisation in the aftermath of a cyber attack and ensuring confidence is maintained. While any organisation can be targeted, thorough preparation and a robust incident response plan can set a company apart and turn a potential disaster into a demonstration of strength and responsibility.
- Work with in-house or third-party agencies to ensure quick, consistent and transparent messaging.
- Conduct a post-incident review.
As the use and complexity of technology deployed by organisations around the world continues to increase, so will the frequency and sophistication of cyber attacks designed to illegally harvest valuable data. An awareness of the risk and vigilance is key to preventing a successful attack for Data Controllers/Processors and Data Subjects alike, along with a detailed knowledge of data protection obligations for Controllers/Processors and the rights of Data Subjects.
How we can help you
We regularly assist and work with our clients at all stages of data security breaches including advising on:
- Preventative measures
- Best practices
- Dealing with adverse publicity
- Transparency of messaging post-attack
If you need advice on a similar problem, get in touch with us at [email protected].