Expert View: The growing pressure on directors and officers over data breach liability

On 25 May 2018, the much-publicised European General Data Protection Regulation (GDPR) came into force. Designed to improve the use and storage of European Union (EU) citizens’ personal data, GDPR gave people the right to access that data, a limited right to remove or correct it, and strengthened their right to object to direct marketing and profiling. GDPR doesn’t just apply to organisations operating within the EU; any company holding or processing EU citizens’ data must comply. Firms who don’t face fines of up to €20million, or 4% of their annual worldwide turnover, whichever is greater. This is substantially higher than the previous UK maximum penalty of £500,000.

Also introduced was the lesser-publicised UK Data Protection Act (DPA). The act states that the management team can be liable for criminal acts under GDPR and, to further increase their liability exposures, the Information Commissioner’s Office (ICO) is keen to make individual directors personally responsible for cyber breaches. Never before have directors and officers had to carry the weight of such liabilities, which is why they must urgently address any potential exposures.

In the UK, data breach complaints between 25 May and 3 July 2018 soared by 160% compared with the same period in 2017 and cyber-attacks continue to escalate. At the start of the year, the ICO fined Carphone Warehouse £400,000 for a personal data breach involving more than 3 million customers and 1,000 employees. At the end of August, T-Mobile revealed hackers had gained access to 2 million US customers’ details, and in September British Airways reported that online criminals had stolen the personal details, including financial details, of almost 400,000 customers.

Risk managers must educate boards about GDPR, their obligations, the consequences of failure to act quickly, and work with IT and marketing to understand what personal data is held, and how it is used and protected. If a business shows it takes cyber security seriously and has robust defences in place, it is protecting the personal liabilities of its directors and officers as well as the interests of customers.

With the financial impact of major data breaches, and making individuals accountable, directors should equally be concerned about fiduciary obligations. While an effective Directors’ and Officers’ policy that doesn’t contain specific exclusions will cover a data breach, only time will tell if there are successful D&O claims as a result of GDPR non-compliance. Even if a claim isn’t successful, D&O insurance can cover the cost of mounting a defence.