Mitigating a Data Breach: Insider Threats - Episode 2 - what are the regulatory, supply chain and employment law impacts?


Welcome to the second episode of our Mitigating a Data Breach: Insider Threats podcast series. In this series of 3 podcasts, members of the Travers Smith Cybersecurity team, Technology & Commercial Transactions Partner James Longster, Employment Partner Adam Wyman and Dispute Resolution Senior Counsel Rachel Wilson, take a look at what happens in the aftermath of a data breach. They focus on cybersecurity threats originating from within an organisation or its supply chain and discuss how to mitigate their impact. 

In this second episode, James, Adam and Rachel look at the regulatory implications of a data breach, including notification requirements, and the potential impacts from an employment law perspective, where incidents are caused by your employees.

"Mitigating a Data Breach: Insider Threats" is a short series hosted by From Travers Smith. A collection of collects episodes and audio versions of our briefings across a broad range of topics, from asset management to technology via CSR and ESG.

Listen on Apple Podcasts


Disclaimer: Transcripts are autogenerated and so may not be 100% accurate. For corrections please contact us.

James Longster 00:00:04:01 - 00:00:23:02
Hi. I'm James Longster a partner in Travers Smith's commercial IP and technology department and part of Travers Smith's cybersecurity group. In the first episode of our podcast series Mitigating a Data Breach: Insider Threats, we discuss the reasons why you shouldn't let insider threats fall below the radar and what preparation can help mitigate the impact of a data breach.

James Longster 00:00:23:13 - 00:00:41:10
In the second episode, we're going to look at the regulatory backdrop and then given the insider threat focus, we're going to move on to look at supply chain issues and what action you might take against an employee who has caused a data breach. Once again, I'm joined by employment partner Adam Wyman and Rachel Wilson, who is senior counsel in our dispute resolution department.

James Longster 00:00:43:01 - 00:01:09:06
So if a data breach has occurred involving personal data, what are the principal pieces of legislation that are relevant if this situation arises in the UK or the EU? Well, the UK, GDPR and the Data Protection Act 2018 will apply to companies established in the UK or who sell to or monitor individuals in the UK. And similarly, if you have operations in the EU or you sell to or monitor individuals in the EU, then the EU, GDPR will also apply.

James Longster 00:01:09:12 - 00:01:34:00
And of course, it's always going to be important to consider local laws. In other jurisdictions you have a presence. But in addition, you also need to think about sector specific cybersecurity legislation that may apply. Now, I'm not going to go into all of them now, but for example, if you operate an essential service or are a relevant digital service provider in the UK, then the Network and Information Systems Regulations 2018 will apply and for financial services businesses.

James Longster 00:01:34:00 - 00:01:46:06
The FCA Handbook PRA rulebook sets out further requirements and it's also important to remember that you're a listed business. You may also need to consider general requirements to notify the market regarding price sensitive information.

Rachel Wilson 00:01:47:05 - 00:02:16:12
Thanks, James. So, the upshot is, is that you may be facing off to more than one regulator in more than one jurisdiction, and we'll come back to that scenario in a moment. Firstly, we've mentioned notification obligations in passing, so I suggest we quickly take a closer look at those. Say the worst happens. You've identified a vulnerability, you've locked it down, you know what's been accessed, whether it's personal data, whether it's special category data or sensitive data like credit card details, you know what's happened to it and you know where it's gone.

Rachel Wilson 00:02:17:02 - 00:02:41:11
That's obviously an idealized scenario and actually it rarely works like that. In practice, you'll often dealing with unclear and incomplete information, and it's increasingly likely to relate to an incident in your supply chain rather than your own organization. Nevertheless, you need to build this picture quite quickly to assess risk and to decide whether notification is required. James When and in what circumstances are you required to notify a regulator?

James Longster 00:02:42:14 - 00:03:04:06
Well, if personal data is involved and we're talking about notifications, the regulator under the UK GDPR, there's an obligation on the data controller to notify the ICO no later than 72 hours after having become aware of the personal data breach. Unless that breach is unlikely to result in a risk to the individuals, they also required to notify the individuals without undue delay.

James Longster 00:03:04:11 - 00:03:26:12
If the personal data breach is likely to result in a high risk to the individuals. So there's a lower threshold for notifying the ICO than for notifying the impacted individuals and the ICO and the European Data Protection Board have each issued separate guidance on notification. And the decision whether to notify is not necessarily straightforward and is definitely an area that your legal team can help guide you through.

James Longster 00:03:27:04 - 00:03:55:03
As I mentioned earlier, depending on the sector and jurisdictions in which your business operates, it's quite likely that you may have multiple separate notification requirements. It's also bearing in mind that if there's cyber crime, you should also be thinking of reporting it to the National Cyber Security Center and to the police. So in summary, is a fairly complicated matrix of things to think about, which is why, as I mentioned in episode one of this series, it's so important to have a plan in place as a framework to deal with all of this in the relevant timescales.

James Longster 00:03:55:03 - 00:04:03:08
And being transparent and notifying regulators promptly is also likely to help as a mitigating factor when it comes to any enforcement action. So it's important to get it right.

Adam Wyman 00:04:04:01 - 00:04:22:15
And there are, of course, other decisions to think about as well on that, such as whether anything will be offered to data subjects. And by way of example, we heard previously about the cost to Morrisons of putting in place identity protection measures sort of thing, that as an employer, if the data subjects are your employees, you might want to be thinking about here.

Rachel Wilson 00:04:24:04 - 00:04:49:09
Yes, that's right. Adam and I briefly mentioned in the last episode the fact that cybersecurity incidents often occur in the supply chain. In recent years, we've seen that becoming increasingly common. However, the UK Government's 2022 survey found that only one in ten businesses assess the cyber security risk posed by their immediate supply chain. Let out figure was quite a lot higher at 34% in the financial services sector.

Rachel Wilson 00:04:50:05 - 00:05:05:07
Unfortunately, there isn't time in this episode to do a deep dove on supply chain risks, but we would emphasize that undertaking thorough due diligence on your suppliers and ensuring that your contracts have robust provisions around data security is extremely important.

James Longster 00:05:05:07 - 00:05:24:12
I completely agree with that, Rachel. Ideally, you want to aim for an environment where your suppliers are telling you quickly about incidents and near-misses and then working with you to resolve them. And of course, it's also important for your contracts to back up that cycle of cooperation. You're effectively looking for a fix first approach, identifying responsibility, for instance, will obviously come later.

Rachel Wilson 00:05:25:14 - 00:05:47:02
Agreed. It's wise to bear in mind that there will be those liability discussions further down the line, and I'd encourage keeping this in mind throughout, particularly in terms of record keeping, etc.. However, obviously your first priority should be on containing the immediate fallout of any breach. Adam What should a company do if it transpires that a cybersecurity breach has been caused by an employee?

Adam Wyman 00:05:48:15 - 00:06:06:14
Well, the key issue there is that this is likely to be a disciplinary matter. But before you can begin a disciplinary process, you would need to conduct an investigation, even if you're pretty clear who the culprit is. And I'm fairly certain they did it. That needs to be a formal investigation to assess whether there really is a disciplinary case to answer.

Adam Wyman 00:06:07:11 - 00:06:35:02
So you need to appoint someone independent, either within the organization or externally to conduct the investigation. And we often get asked by clients to conduct these sorts of investigations as external counsel, both the initial investigation into the data breach that I mentioned in the previous episode and the disciplinary investigation itself. And in fact, if you're getting an external investigator in to look at the original data breach, it can often be possible to leverage their work for the purposes of any subsequent disciplinary action.

James Longster 00:06:35:02 - 00:06:42:04
So Adam, what would be the driver for appointing someone external like Travers Smith to conduct the investigation rather than doing this in-house?

Adam Wyman 00:06:42:14 - 00:07:03:09
What we usually it depends on the seriousness of the breach and also the stakes for the company appointing someone external credibility to the investigation. And that's important. So the employees have confidence in the outcome, but also say a regulator wants to see that the company has done the right thing or an investor wants to scrutinize the the investigation.

Adam Wyman 00:07:03:09 - 00:07:33:04
And we see lots of examples of investors criticizing businesses for not investigating things properly. And the other advantage of having a lawyer conduct the investigation is the potential to claim privilege over the investigation, interviews and final report. You need to consider this carefully. Those privileges won't always apply. If the investigation is a simple fact find, which it usually is, it's unlikely to be privileged, even if conducted by lawyer privilege would usually only apply if the main purpose of the investigation is to seek legal advice on whether there's been a breach of the law and how to fix the situation.

Adam Wyman 00:07:33:04 - 00:07:41:04
And often you actually want to claim privilege over an investigation because you want to show a court or tribunal regulator that you've done a thorough investigation.

Rachel Wilson 00:07:42:00 - 00:07:44:11
And should you suspend the employee while this is happening?

Adam Wyman 00:07:45:12 - 00:08:08:03
It's a good question, Rachel. I mean, you'd certainly think very seriously about suspending the employee. There's no automatic obligation or right to suspend. So you need to think carefully about whether it's the right thing to do and whether you have justification for doing so. And in fact, as you might think about all things like the risk of someone tampering with evidence or the potential leak of confidential information or more personal data.

Adam Wyman 00:08:08:10 - 00:08:23:09
But where I think you suspect an employee has deliberately or even negligently caused a data breach, you would normally feel that sufficient justification for suspension, you'd want to at least block their systems, access, prevent further breaches or tampering with evidence while you investigate.

James Longster 00:08:25:05 - 00:08:35:14
Okay. So if your investigation suggests the individual has deliberately caused the data breach or perhaps even been negligent, I presumably you would want to take this reaction to show you've taken this seriously.

Adam Wyman 00:08:36:07 - 00:08:58:11
Absolutely. This would all be part of your response to the breach. And this would certainly be a disciplinary issue. There are some points process to think about doing so after you have conducted your investigation, you would then need to invite the employee to a formal disciplinary meeting. This is really so that the allegations can be put to the employee and the employee has a chance to put forward their case, including any mitigating circumstances.

Adam Wyman 00:08:59:06 - 00:09:22:06
So you would need to appoint another manager to conduct this disciplinary meeting again, someone who's not previously been involved in the investigation on matter generally. Once you've had the meeting, that manager will go away and consider everything that the employee has said and all the other evidence to come up with a decision that needs to decide whether the employee is guilty of the alleged misconduct and if so, what the appropriate sanction will be.

Adam Wyman 00:09:23:01 - 00:09:38:03
A deliberate data breach would usually constitute gross misconduct, unjustified dismissal. But if it's negligence, then there's more of a range. So it could be anything from a warning, perhaps with some corrective measures up to dismissal, but it will very much depend on the precise circumstances.

Rachel Wilson 00:09:38:06 - 00:09:47:06
There's also the question of whether the employee will be vicariously liable for the actions of the employee, and that was the question that was put before the Supreme Court in the Morrisons case.

Adam Wyman 00:09:48:01 - 00:10:12:02
Yeah, that's right, Rachel. I mean, this is the case we discussed in the last episode about the disgruntled employee who copied payroll data of 100,000 employees onto a USB stick. And one of the issues for the court was whether Morrisons was vicariously liable for the actions of the employee, i.e. whether Morrisons effectively stepped into the shoes of the employee and is liable for their actions as though it was the company itself that had done this.

Adam Wyman 00:10:12:13 - 00:10:34:04
What's interesting about this case is that both the High Court and the Court of Appeal initially ruled that Morrisons was liable for the employees actions, but the case went all the way to the Supreme Court, which ultimately ruled that Morrisons was not vicariously liable. And I was a bit of a surprise, actually. Vicarious liability is all about how closely connected the employee's actions are to the job they're employed to do.

Adam Wyman 00:10:34:13 - 00:10:54:00
The employee in this case was an internal I.T. auditor, and he'd been specific. The asked to provide the payroll data to Morrisons external auditors. So you can see why the High Court and Court of Appeal said his role was specifically to handle this information. So he'd been entrusted with it. And the fact that he leaked it was closely connected to his role.

Adam Wyman 00:10:54:09 - 00:11:19:11
But fortunately for employers, the Supreme Court said no just because the employee's role gave him the opportunity to commit this kind of misconduct did not mean Morrisons should be on the hook for it. Yes, he's been strong entrusted with the data, but he downloaded the data on a USB stick, taking it home and posted it to the internet on his personal computer using a fictitious account all because he had a personal vendetta against the company.

Adam Wyman 00:11:19:11 - 00:11:25:01
So it was not right in the view of the Supreme Court that the company should be responsible for his actions.

Rachel Wilson 00:11:26:04 - 00:11:39:10
It would be interesting to see what the court's decision would have been if the data breach had occurred during work time from the employees own work computer. I think the question then becomes what can employers do to avoid liability in these sort of scenarios?

Adam Wyman 00:11:39:10 - 00:11:59:04
Yeah, I think that's right. And that's why these these things are very fact specific. I think what employers can do well, I think it comes down to your data protection. Compliance. And as you mentioned previously, the ICO had investigated the instant Morrisons was found to have had appropriate technical and organizational measures to prevent unlawful use of personal data.

Adam Wyman 00:11:59:09 - 00:12:12:00
And the Supreme Court agreed the Morrisons to comply with the Data Protection Act. And I think probably that went a long way towards the court saying, well, there wasn't really any more Morrisons could have done here to guard against a rogue employee.

Rachel Wilson 00:12:13:10 - 00:12:40:09
Yes. And as well as the liability position, you will, of course, have to think about how to get data back and to guard against further misuse of that data. So we've seen instances where employees have taken client lists or have banked their employers confidential information by sending it to their private email accounts. And we quite often work on cases together to help clients to recover data taken by current or former employees, for example, by requiring that the data is returned.

Rachel Wilson 00:12:40:13 - 00:12:52:02
Preparing undertakings regarding nonuse of that data, advising the I.T. equipment is made available for forensic review, etc., all with the threat of high court action if employees don't comply.

James Longster 00:12:53:05 - 00:13:13:08
Yeah, that's right, Rachel. We absolutely help with all of those situations. I think all of this just goes to reemphasize the importance of thinking about your measures for people who are handling lots of personal data, either on a regular basis or for specific projects, because firstly, they're likely to be the greatest risk of a data breach. And secondly, you're more likely to be vicariously liable for their actions.

James Longster 00:13:13:14 - 00:13:29:02
Our recommendation would be to keep a close eye on the access rights that you give staff and seek to maintain at least privileged environment. So, for example, you might want to consider monitoring for suspicious activity. Stepped up normally large data downloads and for the use of an unknown USB device.

Adam Wyman 00:13:30:07 - 00:13:53:01
I guess the Morrisons case also shows that where you have a data breach, regulatory action by the ICO is only one of the possible consequences you have to worry about. You could also face claims from employees or clients or customers whose personal data has been disclosed will come back to us in the next episode, as well as looking at the types of regulatory action and civil claims that your business might face following a data breach.

Adam Wyman 00:13:53:07 - 00:14:02:04
But that's all for now. So from James, Rachel and me, thanks for listening and please join us again soon for the next episode in the series.

Back To Top