How communications strategies can minimise data breach penalties

Calculating the true cost of a data breach incident can be complicated, particularly as reputational damage to key stakeholder relationships can sometimes take longer to surface. However, new ICO guidance gives a clearer picture of the likely financial cost of a breach in terms of penalties or fines and emphasises how the regulator may effectively reward organisations for timely actions and responsible behaviour in their incident response.

The guidance sets out a clear five-step framework that the ICO will follow to calculate the fine amount:

• Step 1: Assessment of the seriousness of the infringement.
• Step 2: Accounting for turnover (where the controller or processor is part of an undertaking).
• Step 3: Calculation of the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking.
• Step 4: Adjustment to take into account any aggravating or mitigating factors.
• Step 5: Assessment of whether the fine is effective, proportionate and dissuasive.

Therefore, how an organisation manages its response, including its communications strategy, is likely to shape or influence the overall fine calculation.

Mitigating Factors

Step 4 in the framework states that the Commissioner will consider any actions that “mitigate the damage suffered by data subjects”. Evidence of clear and robust communication to affected subjects demonstrates that efforts have been made to limit impacts to data subjects, bearing in mind the damage suffered as a result of a breach could include psychological harm, such as distress caused by uncertainty. To that end companies should:

• Use factual and transparent messaging to explain what is happening and the possible risks to data subjects, making sure not to downplay the incident while not creating unnecessary alarm.
• Consider the method used to inform data subjects. Email notices may be the most efficient, but face-to-face meetings can be effective in addressing any concerns upfront, particularly where employees are affected or if impacted data is particularly sensitive.
• Include clear and practical actions that data subjects can take to protect their personal data, such as changing passwords and how to identify phishing attempts.
• Consider providing data subjects with tangible support. Free identity theft protection services can provide longer-term assurance and help prevent further misuse of impacted data.
• Establish a process to address queries and concerns from data subjects post-notification.

Timely Response

Timeliness is a word that appears repeatedly throughout the guidance. This indicates how organisations will be also rewarded for swift action, while delays could lead to more severe penalties. Organisations can ensure timely actions by taking a number of steps ahead of an incident occurring:

• Designate roles and responsibilities and establish clear processes to avoid any delays in notifications or other engagement with the Commissioner.
• Identify additional stakeholders or bodies who should be notified in the event of an incident and assign clear ownership of this communication.
• Consider that regular communication channels may not be available in the event of a cybersecurity incident and ensure that alternatives are available.
• Pre-approve providers of data protection services to avoid any delays in setting up this service.

Furthermore, notifying other organisations and “appropriate bodies” such as the National Cyber Security Centre (NCSC) demonstrates a willingness to be transparent and forthcoming. Regardless of regulatory obligations, the guidance states the ICO “may give weight” to companies that choose to proactively notify bodies such as the NCSC where the cooperation goes beyond “what is required by law”.

By taking these steps and prioritising communications to stakeholders, particularly data subjects, organisations can both protect their overall reputation through a data breach, and also put themselves in good standing with regulators.

For more information about FTI Consulting’s Crisis Communications Preparedness offering, including cybersecurity and data privacy issues, click here.