When email goes badly wrong | Managing data breaches

A recent data breach, in which emails revealed sensitive patient data, is reported to impact almost two thousand individuals and underscores the importance of a comprehensive data and cybersecurity programme.

What learnings can you take from the case to mitigate breaches at your organisation?

The Charing Cross data breach

The data breach by the Charing Cross gender identity clinic, which supports adults with issues related to gender, is being treated as a serious incident by Tavistock and Portman NHS Foundation Trust, the NHS body responsible for the clinic. Those impacted may suffer understandable distress as they may be outed to their friends and family, and some patients may even potentially suffer serious danger to their wellbeing or even safety.

The breach is an unfortunate case of human error – the clinic's patient and public involvement team used the carbon copy (cc) rather than the blind carbon copy (bcc) functionality when sending out the emails. This scenario is not uncommon. However, notification to the Information Commissioner’s Office (ICO) of such an incident is not always required.

It is important for businesses to be able to ascertain quickly whether a data incident has occurred, and equally important to be able to determine whether the incident is likely to result in "a risk to the rights and freedoms of natural persons." If there is no risk, then the leak may be classed as a data incident and may not be reportable to the ICO.  There has been a tendency, particularly following GDPR, for businesses to 'over-report' incidents to the ICO when it is not necessary.  An emerging best practice where close judgment calls must be made is to engage data security lawyers to assist in evaluating the "rights and freedoms" test as it applies to a data incident to determine reporting requirements and whether incidents do or do not meet the notification threshold.  

More than a pound of cure – regulatory enforcement

The Trust may face a significant fine from the ICO for its failure to keep its patients' personal information safe.  Separately, given the type of sensitive information disclosed, those individuals affected may be entitled to compensation. A leak of this nature could attract more substantial amounts than the loss of basic data.  However, the ICO will often take into account mitigating circumstances in each case when considering data breaches, which could help to minimise any fine.

Mitigating steps may involve being able to show the ICO that the relevant IT systems were in place to prevent unauthorised processing of data; that staff were provided with adequate and regular  training/updates; and/or that satisfactory policies and processes are in place to ensure safe processing of data.  Organizations should consider a comprehensive programme of data protection and cybersecurity to prevent these data incidents and mitigate any regulatory enforcement action.  In this area careful documentation helps demonstrate these mitigating steps and for small and medium sized organisations its helpful to have a data protection and cybersecurity "systems integrator" such as a law firm or audit firm to organize and execute the program.   

An ounce of prevention – not "if" but "when"

Many businesses have "GDPR indigestion" after spending large amounts looking at their systems, policies and procedures. However, these organisations must now develop the endurance because they are required to continuously monitor their compliance mechanisms and ensure that they are executed and updated.

With respect to email, you should: 

• Implement appropriate technical and organisational measures to prevent unauthorised processing of personal data. This depends on the nature, scope, context and purposes of the processing, and the risks posed to individuals, eg. in the Charing Cross case, given that the potential harm to individuals is greater due to the nature of the data, there is an argument that the Trust should have considered using professional email campaign technology or an account that could send a separate e-mail to each service user.
• Ensure that your staff receive regular data protection training to ensure they fully understand the potential consequences of breaching data protection laws.
• Ensure that there are strict policies and procedures in place so that information is processed safely, eg. having a system in place for double checking these types of marketing email.

When (not if!) a data breach happens it is important to have a rehearsed plan already in place. Organisations should have a procedure in place so that data incident response is structured and well-rehearsed and that the resources are pre-positioned to deal with the fall out. Consider hosting a Serious Data Breach training day for key staff. 

In addition to a rehearsal, data breach planning should include:

• How an investigation would be covered so it could be legally privileged and involve forensic experts if appropriate
• A communication plan for regulators, customers and the public
• Controlling or mitigating damage to reputation by direct engagement with the media and any follow-up actions that require the removal or correction of defamatory material
• Providing access to support services/advice for those affected
• Implementing remedial measures to ensure that subsequent breaches cannot occur
• Considering how any data breach litigation would be defended.

A comprehensive Cybersecurity Resilience and Response Programme is so important and should provide clients with an integrated, multi-disciplinary legal and technical solution which is bespoke to their business. This includes a number of key elements such as assessments, certifications, contract reviews & remediation, health checks and penetration testing, training, investigations (including forensics), brand & reputation management, and litigation and regulatory assistance.

TLT's Data, Privacy & Cybersecurity team to assists clients in building organisational data resilience and effective incident response. Please do get in touch with Brian Craig, Lynsey Robinson or Claire Graham for further information or advice.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions