As lockdown slowly eases, hopefully for the final time, it remains unclear to what extent the changes to the world of work forced on us by the pandemic are here to stay. Although the Government wants to encourage people back into their workplaces, two thirds of employers are planning to retain a significant degree of remote working. Sectors such as banking, accountancy, legal services and tech seem likely to be at the forefront of the trend.
If that is borne out, it will have significant implications for cybersecurity and data protection. Recent research by Doherty Associates suggests that 48 per cent of companies have experienced a cyber attack or data breach since March 2020 (see Who Moved My Moat? (pdf)). Though some of these will be low level – it’s easy to send an email to the wrong addressee – others are sophisticated attempts by malign actors, aimed at covertly accessing material for their own purposes, or blackmailing the owner of the system in a “ransomware” attack. In January 2021, for example, clothing retailer Fat Face apparently had to pay $2m to a criminal gang who had accessed its systems and encrypted key data. They then took two months to tell customers.
As well as the cost of any ransom, the reputational and legal costs of such an incident can be enormous. The Information Commissioner is investigating Fat Face for an alleged breach of the data protection regime. If proven, it can expect a substantial fine: British Airways were fined £20m following a data breach that resulted from a cyberattack in June 2018. Individual data subjects may also look to bring claims, in which damages can be awarded for distress and for loss of control over their own personal information, as well as for any actual damage caused.
Against that background, the shift towards remote working carries serious risks. Terry Doherty, chief executive of Doherty Associates, notes that “With employees working outside of the office, using a blend of personal and company devices, firms no longer have a single ‘front door’ to protect but a multitude of entry points to secure against cyber criminals.” In the office, an employer has control over how its employees access the internet, the devices they use and the safety measures in place. But it is far harder to maintain that same degree of control over remote workers: even if an employee is using a work-issued device, the domestic internet connection they are linked to may not be as secure, for example. If using their own device, then the risks multiply rapidly. Although technical issues can be resolved – for example, by ensuring that employees’ devices are properly set up, including with encryption and the ability to remote-wipe, and requiring the use of appropriate VPNs, firewalls and anti-virus software – this takes substantial time and effort. It is also a never-ending task, both as new employees join, and as software and settings need to be updated.
Sharing information in the remote working context can also be more challenging. Files cannot be physically transferred via USB or DVD without a substantial risk of data loss. Although encryption secures the data, it imposes time and effort costs on both sender and recipient. Many firms are shifting to secure file transfer sites.
As well as the technical issues, there is a psychological aspect. A common way into an otherwise protected network is through attacks such as ‘phishing’, where a malign actor poses as some legitimate organisation and asks an employee to click a link or take some other step that leads to a cyber breach. These attacks can be highly sophisticated: the Financial Conduct Authority has recently warned about a company which is contacting investors, giving the real name and reference number of a genuine FCA-authorised company in an attempt to obtain confidential information. Other recent scams have emails which mimic the automated emails sent by the very secure file transfer sites that are supposed to protect information, rather than put it at risk. When working in the home environment, as opposed to the more formal setting of the office, it is all too easy to imagine an employee momentarily losing focus and clicking a link they should have deleted. It is also all too easy to imagine cyberattacks and data breaches going either unnoticed or unreported. Those risks exist in the office environment too, but, combined with the technical weaknesses involved in remote working, they mean that working from home should be seen as an area of particular vulnerability.
Defending against phishing attacks is difficult: going as far as Irish law firm A&L Goodbody is probably ill-advised. On 31 March, the firm sent a fake email to all staff informing them that they were a close contact of someone with Covid-19 and asked them to click a link for more information. Staff who had recently been in contact with elderly relatives found it ‘extremely distressing’, and the firm has since apologised. But while the content was misjudged, the spirit and intent make sense, and certainly test exercises have their part to play alongside training and technical solutions.
From a legal perspective, cyber breaches, particularly those that involve personal data, can give rise to various types of civil claims, as well as regulatory action from the ICO. In the case of a cyberattack or data breach, claims in breach of confidence or misuse of private information are likely to fail. As held at first instance in Various Claimants v Wm Morrison plc  EWHC 3113 (QB), in a point not challenged on the subsequent appeals, it will generally be the cyber attackers, not the company, that has disclosed or misused the information in question. But that does not prevent claims under the Data Protection Act 2018 or in negligence. A key issue in 2018 Act claims is likely to be whether the safeguards and controls which companies have in place provide “appropriate security of personal data”, including “appropriate technical and organisational measures”. With such measures in place, a company has relatively good prospects of defeating data protection claims. It is likely that if an employer can show it has appropriate security for the purposes of a data protection claim, that will also mean no breach of duty for any negligence claim.
The recent Court of Appeal case of M v Chief Constable of Sussex  EWCA Civ 42 confirms that “appropriate security” is not an absolute: what is appropriate will vary from case to case. That means that establishing what measures are “appropriate” involves a balancing exercise – in essence, the more sensitive the information, the better the security that is required. Both the ICO and the court will want to see that this balancing exercise has been expressly carried out and kept up to date. Doherty Associates’ research suggests that only half of firms have carried out a cyber risk assessment on remote working. This is a crucial tool that should form part of any data protection policy. Importantly, the changing risks arising from home working will need to have been incorporated, with those risks and appropriate steps to combat them properly identified – and the steps properly implemented, both through technical means and through robust policies and training. The National Cyber Security Centre’s guidance on phishing and on cyber security ought to be consulted, as well as the ICO’s guidance for organisations on working from home.
And companies need to have a plan for what happens after an attack or a breach. The obligations around breach reporting can be onerous, and come with strict time limits. More broadly, it will be crucial to get onto the front foot: Marriott International’s immediate response once a substantial data breach had been discovered in September 2018, and its cooperation with the ICO investigation, were factors in the 80 per cent reduction of the intended £99m penalty, with a final penalty of £18.4m being imposed in October 2020. Conversely, a failure to respond rapidly is likely to be treated as an aggravating factor: Fat Face’s delay in notifying data subjects is unlikely to go down well. Employers would be well advised to take legal advice both ahead of any breach, and in the immediate aftermath.
Overall, since remote working is almost certainly part of the new normal, policies and procedures for cybersecurity and data protection need to be updated accordingly. There are substantial legal, regulatory and reputational risks associated with failure in this field, and those risks are highly likely to be increased when employees are working from home, perhaps on their own devices and using their own internet connections. Doherty Associates’ recent research shows the potential scale of the problem: it’s up to employers how they respond, but it’s unlikely that simply kicking the issue into the long grass would be wise or prudent.
John Goss is a barrister practising at 5 Essex Court chambers in London. He specialises in Data Protection and Information Law, Personal Injury, Licensing, Public Law and Inquests. He acts for private companies, individuals, and a range of Government departments and public bodies, including on a direct access basis. Email firstname.lastname@example.org. Twitter @5essexcourt.