GDPR Puts Cybersecurity Responsibility on Businesses

The UK’s highest court has spoken: After six years of legal proceedings, supermarket group Morrisons is not liable for the actions of a disgruntled employee who, in 2014, leaked payroll information of around 100,000 staff. The ruling overturns previous judgments in which Morrisons was found liable for compensation claims made by the staff whose information was leaked online.

But the ruling shouldn’t give companies a false sense of security. Why? All companies acquire information about their employees, whether it’s their salaries, personal contact information or even health information. That information can easily be compromised – even in cases where it isn’t intentionally leaked. Think how easy it would be for an employee to email the wrong recipient, or to accidentally store data on a USB drive and then lose the device.

When the Morrisons data breach occurred, the General Data Protection Regulation (GDPR) was not yet in effect. Under GDPR, it doesn’t matter if a business leaked information accidentally or not. If it holds private information about an individual and that information is released, it is going to be held responsible. And that means taking prompt action as required under GDPR.

If a breach of sensitive employee information were to happen to an employer today, it would play out much differently. Under GDPR, whether or not the employer is civilly liable for damages to affected employees, they would absolutely be responsible for notifying the Information Commissioner’s Office (ICO) within 72 hours of the breach, as well as potentially notifying the individuals themselves.

That’s where a cyber insurance policy can come into play and provide important benefits.

How cyber cover stands apart

In the aftermath of a breach, a good cyber insurance proposition will help initiate a forensic investigation into the incident to determine the extent of the breach and what data has been compromised – tasks that are difficult for an employer to accomplish on its own when a disgruntled employee isn’t forthcoming and time is critical.

Beyond covering the costs of the initial forensic investigation, a cyber policy provides post-breach guidance from a solicitor with expertise in data privacy regulations. That guidance helps a business determine its legal responsibilities under GDPR and covers the cost of drafting, and sending, any required notification to the ICO. The expenses can add up quickly – even for a company that has done nothing wrong.

The same is true for any reputational damage a company suffers after a breach. Even if a company has not been negligent, it can experience negative and costly press following a breach. A dedicated cyber policy covers the cost of hiring a public relations firm to mitigate negative press, regardless of whether the company was negligent. (Professional indemnity policies, in contrast, often require employer negligence to trigger coverage for public relations costs.)

Cyber cover can protect against additional losses. It can insure a company’s lost business if customers decide to take their business elsewhere after a breach. It can also cover the defence costs a company accumulates when facing employee claims – even when the final judgment favours the employer.

GDPR holds a company responsible in the event of a breach, regardless of whether the company has been negligent or has done everything perfectly to protect its business.

The advantage of a cyber policy is that it is not triggered by any negligence, but simply by a breach. It will respond to the incident – and provide a range of services to help a business meet legal requirements and get back on track – regardless of how the breach happened.