Preventing and dealing with data loss from your business

Blog
Published: 24th November 2021
Area: Litigation & Dispute Resolution

Share This

Loss of control of data, or the copying of data, belonging to a company is one of the most serious problems we can face today.

The recent example of the US pipeline operator, who was the victim of a data hack and ransom that led to shortages of petrol in the US and people trying to fill plastic bags with fuel, shows that even in an extreme way, the chaos and cost that can be brought to a business by loss of data.

What are the main data risks for businesses?

There are three fundamental data risks that a business can face;

  1. the external attack;
  2. the disgruntled internal attack, or
  3. the enterprising departing employee looking to use data for their own benefit.

Faced with any of these scenarios, a business can panic.  However, every one of these risks can be managed and mitigated by:

  • assessing what data is under attack or has been taken;
  • identifying a possible source;
  • collecting the contract for any individual involved (the contracts under which you hold the data); and
  • identifying any particular cause of urgency such as publicity.

Our team of experts can advise you upon and obtain, if necessary, injunctions to stop the use of data, further distributions and mitigate any liabilities from the loss.

What is an external hack?

External hacks fall into the following categories:

  • The ransom hack involving money or threatening publicity; and
  • The so called ethical hack, to demonstrate there is an issue and there is security to be breached and they are clever enough to exploit it.

Although these are similar, they are importantly very different in how they must be dealt with.

Publicity

An ethical hacker is much more likely to want to publicise what they have been clever enough to do, as opposed to a ransom hacker who is only concerned with money or reward.

An ethical hacker is less likely to imprison data, and therefore less likely to disrupt the business’ ongoing operation.

To deal with this successfully, be open and sincere with whoever you have to be. This includes dealing with the Information Commissioner, but also anyone whose data may have been compromised and whose dealings with you may have been affected.

The probability of no-one finding out is extremely limited but, if properly managed and with proper requests, valuable relationships can be saved. Businesses trust other businesses that are open and honest.

Investigate and provide details

If the issue rests with a piece of software that you bought, a bad design, or some other reason, then you need to know the cause. And, more importantly, you need to share the root of the issue both externally and internally.  This is important because you may be able to pass some of the liability onto a third party supplier if it is genuinely their fault.

Legal advisors can be vital in helping you to mitigate the damage, by dealing with the Information Commissioner and other regulators, handling claims and complaints by those whose data has been affected, pursuing those responsible if this is one of the rare cases where it is possible, and recovering any potential losses.  Money spent in mitigation is money well spent.

What is a disgruntled internal attack?

A disgruntled employee, or another individual with access to sensitive data and an axe to grind, can wreak havoc and cause serious damage, as experienced recently by Morrison’s supermarket.   Such an incident may often be foreshadowed either by expressions of discontent; talking about problems or vulnerabilities, or even a straightforward extortion attempt.

However, this can be handled with the following steps:

  1. Stop any further data being stolen or distributed – ideally, you will have a plan in place already but you need to take action to stop your internal systems from being compromised any further.
  2. Contact solicitors and work alongside them to identify who is responsible. You can then stop the employee from doing anything with the data that they have stolen if it has not already been distributed.
  3. Inform the Information Commissioner, and anyone else you must inform, of what has happened.
  4. Deal with the employee and mitigate the damage with the data owners.

In the Morrison’s claim, the Supreme Court gave guidance as to the exposure a business can face. This gives hope to the companies that are victims of such actions and, if their systems are robust enough and the actions sufficiently unpredictable given the employee’s role, that they can escape liability; however, any such issues require careful expert legal management.

Enterprising departing employee

Perhaps the most common issue or concern for data loss is the employee or contractor who is departing and wishes to take data to help them to set up their own new business or take with them into their new role.  Whether it be data they consider pertains to “their clients”, or general theft of data more widely, this scenario requires quick and instant action.

Recent cases of this type of threat demonstrate the importance of careful consideration of how to deal with such an employee. Often data protection law and general principles of confidentiality can be more important and provide a more effective way of protecting a business, than traditional restrictions in contracts. Ultimately preserving clients and protecting the business is the key in this situation.

In 2020 an adviser, who left the firm Quilter taking a number of clients with her, was subject to a claim by Quilter. The High Court’s decision was that the covenants in her contract were an invalid restraint of trade and unenforceable. Link to piece on employment covernants

The scope of these, at first sight, might have appeared reasonable to many businesses. However, the advisor had begun scanning data onto a personal laptop shortly after making an approach to the new employer, and so the timing was more blatant than most. The contract sought to prevent an individual working for a competitor for nine months and dealing or soliciting with their former clients for 12 months. The court would have found an individual in breach of non-solicitation, had the terms been valid, and may even have wanted to find in favour of the company, given the advisor’s behaviour, but was unable to do so.

We’re here to help

If you’re faced with data loss of data, even if you have a contract in place to protect it, it’s important that you seek professional help to minimise damage and protect your data and your business.

Get In Contact

Daniel is a highly regarded experienced specialist commercial litigator and defamation expert

Litigation & Dispute Resolution Solicitors | Shakespeare Martineau

Litigation & Dispute Resolution

If a dispute has begun to escalate and your attempts to resolve have been left unheeded you may feel the time has come to escalate matters.

Our Thoughts

All the latest thoughts and insights from our team

Why you need terms and conditions

18 Jan

Fast Growth & Start Ups

Why you need terms and conditions

All businesses should have standard terms and conditions of business. Unfortunately, these are often […]

Read article Right Arrow

No-fault divorce preparation should start now

13 Jan

For the individual

No-fault divorce preparation should start now

With the landmark Divorce, Dissolution and Separation Act 2020 coming into force in April, […]

Read article Right Arrow

SHMA® On Demand

All the latest on-demand content

HRD Forum

25 Jan

Matt McDonald, Partner

HRD Forum

We will also address the legality of mandatory vaccination policies in the context of […]

Register Right Arrow

HRD Forum

26 Jan

Rhys Wyborn, Partner

HRD Forum

We will also address the legality of mandatory vaccination policies in the context of […]

Register Right Arrow