Data Breach Response: Managing Liability08Jun2021
The stakes are high after a data breach. There is a clear and present danger of legal liability. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt provides guidance on managing liability following a data breach.
The primary role of the lawyer is to manage and mitigate liability. Senior management will focus on broader commercial issues. Legal advice will feed into that assessment, and senior management will need clear advice on the scale, variety and probability of liability.
For present purposes, we can divide potential liability into three broad categories.
Criminal liability may arise because the circumstances in respect of the data breach may have resulted in the commission of a criminal offence. This can arise, for instance, if there is a statutory cybersecurity framework that applies to the business. Criminal offences can also arise for contravening an enforcement notice from a privacy regulator, obstructing the proper exercise by a privacy regulator of his functions, or knowingly making false or misleading statements to the privacy regulator.
The consequences of criminal liability can be severe. The persons who commit the offence are responsible, and this can include directors of the company. The outcome can result in criminal fines and potentially imprisonment.
Most businesses will focus on administrative fining powers of regulators as a core concern. This is different to criminal liability. You don’t go to prison if a regulator imposes an administrative fine. However, many jurisdictions have either adopted or are considering introducing turnover based fining powers for privacy regulators. The most notable trailblazer in this regard is the General Data Protection Regulation adopted in the EU. Administrative fines for certain matters under GDPR can be as much as 4% of global turnover. The potential impact of a fine of that magnitude is breath-taking. There have been some very significant fines imposed for data breaches under GDPR. For instance, in 2019, Google Inc. was fined €50,000,000 by the French courts on the grounds of insufficient legal basis for data processing in that particular matter.
If a data breach has already occurred, then there may be some breaches of applicable laws that may, in any event, result in an administrative fine. In the data breach response, though, it may be possible to mitigate the extent of those fines. It is important to consider the factors the regulator will take into account when assessing the level of the administrative fine. A prompt notification of the data breach, and co-operative response to regulatory enquiries, can lead to positive comments in an investigation report, and perhaps to some mitigation of the level administrative fine imposed. Co-operation does not mean waiving legal professional privilege. It means proper, prompt and responsible conduct in the context of the investigation.
Another important mitigating factor in the assessment of administrative fines is the extent to which the business has adhered to adequate policies and procedures to secure personal data from unauthorised access, use or disclosure. A regulator will assess those policies and procedures both on paper and in practice. Key factors that will be assessed include:
- Have policies been communicated consistently and frequently to those who should know them?
- Has there been adequate training and incident preparation?
- Is the chain of responsibility in respect of information security adequately identified?
- Is there accountability at the board level?
- Has the business deployed adequate resources to support the policies and procedures in place?
- Has the incident response team responded quickly and effectively?
- Has the risk of harm to data subjects been promptly assessed and acted upon?
It will be difficult to achieve a positive outcome on an assessment of these factors unless there has been a systematic and consistent approach to information security before the data breach occurred.
Civil liability for data breaches can arise in a number of ways. Let’s focus on two – liability to a data subject for infringement of his individual rights, and liability to a contracting party.
A data subject may have an individual right under applicable data protection laws to bring civil claims for damages for his loss arising from the data breach. For instance, in Hong Kong, an individual can claim compensation from a data user if he has suffered damage (including injury to feelings) by reason of a contravention of statutory obligations by a data user which relates to his personal data. The challenge with claims of this nature is that it can be difficult to establish loss. The loss can be indirect or remote from the data breach itself. Consequently, the level of damages awarded per individual claim can be comparatively low. This acts as a disincentive to bringing claims.
Some jurisdictions have addressed this issue by prescribing the amount that is payable to an individual in respect of a data breach under an individual claim. Also, in some jurisdictions, the Courts may be amenable to class actions in which a group of plaintiffs in similar circumstances bring a claim together. Class actions may not be possible, or are procedurally difficult, in some jurisdictions – including Hong Kong. These approaches are intended to address the concern that there must be effective policing and enforcement of compliance with data protection laws to achieve good data management and protection practices in business. An active civil jurisdiction giving individual data subjects effective rights of action should be a key element required to achieve this objective.
Perhaps contractual liability is, for the present, a more direct and impactful risk to a business. Commercial contracts frequently include covenants in respect of business continuity or data security. A data breach may have serious consequences to those contracting parties. There may be an inability to perform related contracts in the supply chain. There may be potential loss of business opportunity or business reputation of third parties arising from the data breach. A key priority for the legal team is to review contracts and assess the risk of claims for breach of contract arising from the data breach. The legal team will also need to assess other potential areas of legal risk, including the risk of claims arising under negligence.
The potential liabilities that may flow from a data breach are many, varied and complex. We have barely scratched the surface in this article. The mitigation of legal risk is the core and critical work of the legal team after a data breach. Inevitably, the business will need the help and support of experienced external legal counsel, and we, at Tanner De Witt, are here to help.
If you would like to discuss any of the matters raised in this article, please contact:
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
 For example, see sections 50A and 50B, Personal Data (Privacy) Ordinance (Cap. 486) in Hong Kong.
 Though not yet in Hong Kong. The Privacy Commissioner in Hong Kong does not have administrative fining powers. This may change if announced legislative proposals are passed into law. See the Tanner De Witt article summarising the proposed changes here.
 A data user is the approximate equivalent in Hong Kong to a data controller under GDPR.
 c.f. section 66, Personal Data (Privacy) Ordinance (Cap. 486)