An increasing number of companies use online systems such as cloud technology to store data about their business including valuable intellectual property (“IP”) assets.
Online systems provide businesses with easier access to their research, ideas, databases and other forms of IP in contrast to holding such information on physical hard drives. However, whilst potentially reducing the risk of loss or damage as a result of fire, flood or break in to a business’s premises, online, IT and data systems are vulnerable to sophisticated third party hackers who may use a range of means to access, share, corrupt or delete valuable company data.
Although a company may choose to invest relatively heavily in order to protect its data, the systems are by no means infallible and the ability for employees and workers to access the business’s systems from a multitude of devices and locations potentially provides hackers with greater opportunities to exploit weak points.
If a company has its online data accessed by a malicious third party it can damage its reputation and see a director found in breach of more than one of his/her duties under the Companies Act 2006 (“the CA”) and face personal criminal liability under the Data Protection Act 1998 (“the DPA”).
Duty to Promote the Success of the Company
Under section 172 of the CA, directors have a duty to “promote the success of the company” and in doing so must have regard to its employees and foster business relationships with suppliers and customers and others. Therefore, if a director fails to install adequate measures to protect data stored online in relation to the Company’s employees, customers and suppliers and the data is, for example, stolen or corrupted he/she is likely to have failed to comply with this duty.
Duty to Exercise Reasonable Care, Skill and Diligence
A director also has a duty to “exercise reasonable care, skill and diligence” under section 174 of the CA and the director’s actual knowledge and knowledge that may reasonably be expected of a person carrying out the director’s functions should be taken into consideration when deciding what level of care, skill and diligence is deemed reasonable.
If, as a result of the acts or omissions of directors responsible for the company’s IT & data systems, those systems become exposed to malicious third party practices, the directors responsible may be found to have breached this duty.
Holding Data Securely
Although there is no “one size fits all” solution to holding data securely, directors should ensure appropriate measures are in place to prevent data from being compromised.
It should be clear which director is ultimately responsible for ensuring data is held securely and ‘processed’ within the parameters of the DPA. Security measures need to be designed and organised to fit the nature of the personal data held and the damage that may be caused as a result of a security breach. The right security must be backed up by robust policies and procedures.
Consequences of Breaches
A director who breaches his duty under the CA may face a claim from the company which could result in the director being liable to pay for damages for any loss the company suffers.
Under the DPA, a director can face personal criminal liability if they have neglected to hold data securely and it is hacked. Also, the company may be hit with an enforcement notice which would prevent the business from processing data, effectively preventing many businesses from operating, together with significant fines.
What a Director Should Do
A director with responsibility (whether singularly or collectively as part of a committee or the Board generally) for online systems should ensure they are secure and that all employees, and in particular those working on mobile devices, do not expose the company’s online systems to any unnecessary risk. Directors need to ensure suitable security measures are installed to prevent attacks on the company’s online systems. If the director responsible does not have the necessary expertise the task should be delegated with reasonable care, skill and diligence to a competent third party.
A director may want to consider whether it is necessary to carry out a data protection audit and potentially appoint a data protection manager who can review or write the company’s data protection policy. It is advisable to hold no more personal data than is necessary for the business activities that the company performs and to review the company’s insurance and evaluate the risk of suffering a ‘hacking’ incident.