11 November 2020
Technology and data may empower the whole business. On the flip side, they can generate risks. As data use proliferates, all companies face the risk of data breaches. With increased enforcement action and more decisions in favour of claimants, we consider some of the regulatory and legal exposure which may follow a data breach.
Most organisations are concerned first and foremost, with regulatory enforcement action following a data security incident. While enforcement action is more likely to engender civil claims, the risk of follow on civil claims by injured parties is equally real. Further, claimants may not necessarily always have to wait for enforcement action to be completed to commence their own civil action.
According to statistics published on the PDPC’s website, the number of complaints received by the PDPC has steadily increased; 600 complaints were received in October to December 2018, compared with 1,700 in October to December 2019. The increased number of complaints to regulators indicate that individuals are more likely to bring civil claims. The following are also likely to contribute to increased exposure for corporations:
-
Rising public awareness of data rights;
-
Increased consumer expectations that companies should do the “right” thing;
-
Increased enforcement activity around the globe; enforcement action by a regulator in one jurisdiction may prompt regulators in other jurisdictions to similarly act; and
-
Increased adoption of digital platforms as a response to the pandemic.
Domestic Regulation
Regulators are increasingly focusing on cybersecurity and data privacy issues. While local regulators may have previously encouraged (albeit rather strongly) certain conduct, such conduct is now being hardwired as formalised requirements.
One noteworthy example is the introduction of a mandatory breach notification regime via the amendments to the Personal Data Protection Act (“PDPA”). With the amendments, organisations would be required to notify affected individuals and the Personal Data Protection Commission (“PDPC”) when a data breach results in or is likely to result in significant harm. While the timeline for notifying affected individuals is not specifically prescribed in days or hours, the PDC must be notified within 3 calendar days from the day the assessment is made.
The maximum financial penalty under the PDPA will also be raised. It will be 10% of the organisation’s annual turnover, or 1 million, whichever is higher. To concerns that the revised maximum penalty might be unduly harsh, it has been indicated that the PDPC will ensure that the financial penalties imposed will be proportionate to the severity of the breach.
Liability to private parties may also arise under local legislation. The PDPA expressly provides for a right of action for relief under civil proceedings for loss or damage directly as a result of a contravention of certain provisions of the PDPA.
Obligations may also arise under other regulations. For example, while the Cybersecurity Act is predominantly concerned with organisations who own or operate critical information infrastructure (“CII”), the Act does still impose obligations on companies who do not own or operate CII. All organisations are required to cooperate with the Commissioner in the investigation of cybersecurity threats and incidents. This includes having to produce any physical or electronic record or document or such remedial measures as directed by the Commissioner.
International and Extra-territorial Laws
Laws having an extra-territorial effect may also create potential liability for the victim corporation.
An increasing number of cybersecurity and data privacy regulations globally have extra-territorial reach. For example, the General Data Protection Regulation may apply to data controllers who do not have an establishment in Europe, and in certain circumstances, data subjects do not even have to reside in Europe to be entitled to protection.
Given that most major corporations tend to operate in more than one country, a cybersecurity incident is likely to trigger data privacy and cybersecurity-related regulations in more than one jurisdiction. This in turn means that the victim corporation must grapple with regulations (and regulators) in several jurisdictions. This underscores the importance of having a coordinated approach.
Direct Liability
As indicated above, the PDPA expressly provides a right to compensation for people who suffer damage as a result of an organisation’s failure to comply with its obligations in relation to the collection, use, and disclosure of personal data.
Disclosure in breach of a relationship of confidence could also give rise to liability. Once it is established that the information in question has the necessary quality of confidence and has been imparted in circumstances importing an obligation of confidence, a cause of action in breach of confidence can arise. The disclosure need not be intentional for a corporation to be held responsible.
Other causes of action may be available where the disclosure or leak took place in breach of any contractual arrangements between the compromised corporation and the affected party. Examples include where a counterparty has suffered loss as a result of a breach of a customer contract, or breach of an employment contract requiring data to be handled in a certain way.
Liability may also arise from how the organisation and its senior officers handle the cybersecurity incident or data breach. The duty of directors to act in the interests of the company may include consideration of the response taken after the incident.
In practice, it is common for multiple causes of action to be pleaded since a cybersecurity incident generally involves different things happening to different data.
Collective Actions
While individual claims for data leaks or misuse do not generally attract high damages, the aggregated amount can be quite significant.
In the United Kingdom, there have been several cases where collective claims by customers have been allowed to proceed. This is in part due to the clever ways in which claimants have chosen to structure their claims.
The latest Singapore decision on the matter also indicates a more liberal approach towards such collective actions, which is allowed under Singapore civil procedure rules as a representative action. An expansive interpretation of the “same interest” requirement (necessary for a representative action to proceed) has been taken in various jurisdictions, and the Singapore Court of Appeal has adopted such an approach.
A broad and flexible approach was also taken by the Singapore Court of Appeal towards the administration of representative actions, and the relief which may be granted to the claimants.
Whether compelled by increasingly robust regulation or the threat of civil liability, corporations and their senior management will face greater scrutiny and pressure to strengthen their cyber / data governance and resilience. If they have not, corporations should look to this period as an opportunity to assess and strengthen their policies, processes and structure to mitigate these cyber and data risks.
For further information, please contact:
Lijun Chui, Partner, Bird & Bird