This presentation explores the risk facing all charities and businesses if adequate thought is not given to the protection and security of one of its most treasured assets, its website.
2. LEGAL IMPLICATIONS OF A CYBER ATTACK
Introduction
Charities fourth most likely category of organisation to fail to
protect other’s data (behind health, local government and
education)
- in six months to March 2015, charities suffered 53 data breaches
- more than double amount in same period previous year
3. LEGAL IMPLICATIONS OF A CYBER ATTACK
Introduction
Wannacrypt virus affected
- up to 150 countries worldwide
- 48 NHS trusts, 13 NHS bodies
Elizabeth Denham, Information Commissioner, 18 January 2017:
“We’re going to have to change how we think about
data protection”.
4. SETTING THE SCENE
•Charity : Permeable Trust
•Helps disadvantaged school leavers
•Information collected
–the data subject’s
•age
•sex
•school
•ethnicity
•any health issues
– donor’s
• contact details
• bank account/credit card details
5. THE ATTACK
• Hackers from Russia break through firewall
• Website created using Wordpress, designed by
webdesigner EzyPage
• Personal details passed to junk mail sender
• Bank account/credit card details of donors
available on dark web
6. THE ATTACK
• Spoofed email sent in name of CEO
• Some employees open attachment
• Malware script locks down computer systems
• Message on screen: ransom of $5,000 in
bitcoins to unlock files
7. THE ATTACK
• Some contractors and volunteers receive email
at their own personal email address
• Own laptops and home computers become
infected
• Unable to use their own computers
• Some pay ransom: only half of data and
programs restored
8. QUESTIONS
1. What action (if any) can the Trust take against:
a. hosting company, iHost?
b. the web designer, EzyPage?
c. its outsourced IT company, CharityWare?
2. What action (if any) can data subjects take, namely:
a. school leavers?
b. donors?
9. QUESTIONS
3. Can contractors and volunteers do anything?
4. What losses might the Trust suffer in terms of
5. What steps can the Trust take to protect itself from claims
and fines in the future?
10. QUESTION 1: WHAT ACTION CAN THE
KING’S TRUST TAKE AGAINST:
a) The hosting company, iHost?
• hosting agreement requiring iHost to:
• “take appropriate technical and organisational
measures against accidental loss and unauthorised
access to data” (Data Protection Act, 7th Principle)
iHost ought to bear some responsibility
• if mail filtering outsourced
o iHost could legitimately argue done all it could
o Much will turn on agreement
11. QUESTION 1: WHAT ACTION CAN THE
KING’S TRUST TAKE AGAINST:
b) The Web Designer, EzyPage?
• Plugging known holes part of a
developer’s role?
• EzyPage may argue Wordpress’
responsibility
12. QUESTION 1: WHAT ACTION CAN THE
KING’S TRUST TAKE AGAINST:
• Look at contract terms:
o implied term under contract law to
exercise reasonable care and skill
o Failure = breach of contract
13. QUESTION 1: WHAT ACTION CAN THE
KING’S TRUST TAKE AGAINST:
c) The IT contractor, CharityWare
(“CW”)
• Trust dependent on CW selection
• Cause of action lies, dependent upon:
o any express contract terms
o whether attack preventable using
industry standard filtering software
o any implied duty to do so (as
before: SGSA, unless excluded)
14. QUESTION 2: WHAT ACTIONS CAN
AFFECTED DATA SUBJECTS TAKE AGAINST
THE TRUST?
a) School Leavers
Must show some kind of
detriment
Trust could find itself on wrong
end of a class action:
if average value of claim £1K
and 1,000 leavers =>
£1,000,000 claim
sensitive personal data:
aggravated damages
15. QUESTION 2: WHAT ACTIONS CAN
AFFECTED DATA SUBJECTS TAKE AGAINST
THE TRUST?
b) Donors
Claim similar to school leavers
Will have had to:
onotify bank/card company
omay need to change phone
number(s)
otake other remedial action
Depending on number, value of
claims potentially high
16. COULD THE DATA SUBJECTS TAKE ACTION
AGAINST IHOST?
a) Current Law
iHost = data processor
No direct action possible against data
processor
b) General Data Protection Regulation
Data subjects able to bring action
against processors
Subject to fines/other enforcement
measures from data protection
regulator
17. QUESTION 3: CONTRACTORS AND
VOLUNTEERS: WHERE DO THEY STAND?
Data subjects in Trust’s HR database
Losses happened as a result of a failure by Trust
=> breach of contract if anything about data loss
importance of limiting liability
contractors and/or volunteers to consider claims
18. QUESTION 4: WHAT OTHER LOSSES MIGHT
THE TRUST SUFFER?
a) Duty to Report
Charity must:
a) file a serious incident report (SIR)
with the Charities Commission
b) if breach sufficiently serious, notify
the ICO:
“serious”?
where either > 1,000 records
involved and/or
sensitive personal data has
been compromised
19. QUESTION 4: WHAT OTHER LOSSES MIGHT
THE TRUST SUFFER?
b) Fines and Penalties
Under Data Protection Act
-fine of up to £500K
-other sanctions
Under the GDPR,
o€20 million or
o4% of global annual turnover,
whichever greater
Data subjects can also bring civil
claims
Recent Fines by ICO (All) *
2014: 9 fines, totalling £668,500
2015: 18 fines, totalling >£2m
2016: 21 fines totalling >£2m
2017 (Charities alone) 11 fines (so far),
£138K
* IT Governance website
20. QUESTION 4: WHAT OTHER LOSSES MIGHT
THE TRUST SUFFER?
c. Damage to Reputation
Consequences of data breach:
• TalkTalk
• British Pregnancy Advisory Service
=> severe impact on a charity’s continued ability to
operate:
current donors
potential donors
21. QUESTION 5: HOW CAN TRUST PROTECT
ITSELF IN THE FUTURE?
a)Secure Your Data
b)Cyber Liability Insurance
c)Limit liability in Contracts
22. FURTHER INFORMATION
ICO Guide of Information Security
ICO’s Guide on Notifying Data Security Breaches
ICO Security Breach Notification Form
Thirteen Charities Fined in 2017 for Data Breaches
Cyber Liability Insurance Sample of Summary Cover
Sample Premiums for Cyber Liability Insurance
Data Protection Damages to Rise Exponentially
23. For further information about intellectual property, please see the
following articles by the presenter on Stone King’s website:
Ransomware: the cybercrime crippling businesses
How Can Charities Protect their Data in the Cloud
Ten Questions You Should Ask Your Cloud Provider
A Guide to the Consumer Rights Act
Brian Miller
Partner
IP, IT & Commercial
Stone King LLP
brianmiller@stoneking.co.uk
@theitsolicitor
brianmillersolicitor
BrianMillerSolicitor
+44 (0) 207 324 1523