On 7 May 2015, Matheson hosted and sponsored the SCL Irish Group’s breakfast seminar on data security and cyber insurance, which drew an audience of over 100 professionals working in the area of data protection in Ireland and the UK.
John O’Connor, Chair of the SCL Irish Group and head of Matheson’s Technology and Commercial Contracts group, commenced the morning by setting out the data security requirements placed on data controllers and processors by legislation. They must maintain ‘appropriate’ security measures to fit the nature of the personal data and which can take into account the harm that could result from a breach and the state of technological development in the area.
He outlined the importance of having a data security incident response plan in place, steps in dealing with a data security incident and also noted some of the specific concerns relating to data security in the cloud.
Andreas Carney, Senior Associate in Matheson’s Technology and Commercial Contracts group, gave an overview of the law and best practice in Ireland relating to data security breaches. He referred to a number of high-profile data security breaches that had occurred in the past year, including Sony and Target in the US and LoyaltyBuild in Ireland, which demonstrated the importance that should be given to data security within organisations.
He explained that the Irish Data Protection Commissioner had published a data security breach code of practice which, while not generally binding and lacking detailed guidance, was nonetheless a good starting point for understanding how to deal with a data security breach in Ireland. Best practice requires that a data controller, when deciding what level of notification to give regarding a security breach (whether to the DPC or the data subject), take into account the nature of the data concerned, the scale of the breach and the potential for adverse effects on data subjects.
Andreas also spoke about the upcoming EU Data Protection Regulation, which takes a similar risk-based approach to notification and reporting and also requires that systems for the collection and retention of personal data are designed with data security in mind.
An overview of the current state and development of cyber insurance was provided by Ffion Flockhart, Partner at Norton Rose Fulbright LLP. She outlined that cyber insurance was a fast-growing area, as organisations have begun to understand the important impact that cyber risk could have on their business. There are many gaps in traditional types of insurance which typically concentrate on direct physical damage, or malice in the case of crime insurance, and do not adequately deal with losses resulting from hacking, including systems failures, loss of data, reputational damage and even legal and regulatory problems arising as a result.
She noted that the level of cyber risk was increasing every year and, in the near future ‘organisations could be split into two categories: those that have been hacked and those that have been hacked more than once’.