To: Carrie Counselor
Subject: Lost laptop containing European customer information
A couple of weeks ago, you wrote me about an employee who will be engaging in a six-month temporary assignment around Europe to scope market opportunities. The employee was Abbie Absent-Minded. Well, we hit a snag pretty quickly. Abbie just e-mailed me to say that she left her laptop on a train in London last evening and it hasn’t turned up yet in the train company’s lost-and-found. It was a brand-new laptop that we had given her for her European assignment, so fortunately it didn’t have a lot on it. Abbie said that the laptop had contact information for her various marketing prospects, plus some sample customer data that she was given by one of her prospects to use in a demo of our web-based advertising product. She thinks that the customer data included around 200 records with the customer’s name, age, gender, e-mail address and the history of purchases that the customer made from our prospective client’s retail stores.
I assume that we should tell our prospective client that the laptop with their customer data was lost. What else do we need to think about?
From: Carrie Counselor
To: Ned Help
Subject: RE: Lost laptop containing European customer information
You didn’t say whether the data on the laptop was encrypted, so I’m assuming it wasn’t. (More on that at the end of this e-mail.)
First, I agree that you should tell your prospective client that the laptop with its customer data has been lost. Your prospective client probably views the customer data as its confidential information, which it entrusted to your company, and you probably have a duty under common law principles to inform the prospective client of the loss.
Generally, a company that has UK personal data under its control has a legal obligation to take “appropriate technical and organisational measures” against “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to” the personal data. As you will remember from our earlier communication about the EU’s definition of personal data, all information about an identified natural person, and information that can be used to identify a natural person, is protected as “personal data.”
Second, UK law currently does not require you to report the data breach to the regulator or to the data subjects. (There are breach reporting requirements for telecoms and internet service providers, but those don’t apply to you.) The UK regulator, the Information Commissioner’s Office (“ICO”) strongly encourages companies that have experienced a breach to consider the potential harm to the data subjects. The ICO has issued guidance to help companies work through whether to notify the breach voluntarily. It’s pretty clear under the current guidance that you don’t have to report the data breach – assuming that no sensitive information was involved. That’s where we need to ask some additional questions: You wrote that information that has been lost included the customers’ past purchase histories. If the purchase related to health or sexuality (the most likely categories of sensitive personal data that could be revealed by purchase history), then we need to assess this further, and you or your prospective client may well choose to report voluntarily to the ICO.
Please also confirm that only UK personal data was on the laptop. Various European countries have more expansive data breach reporting requirements, and if there’s other EU data involved, we will need to review further.
Third, it’s important to know that the rules on reporting data security breaches will change when the new General Data Protection Regulation (“GDPR”) goes into effect across the EU in May 2018. When the GDPR goes into effect, data controllers will have to report security breaches to the regulators within 72 hours of becoming aware of the breach, unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” (No one knows what the precise standard is for this risk assessment, so companies are likely to over-report, at least in the first few years of the GDPR.) It will also be necessary to report the breach to the data subjects if their rights are at “high risk.”
Finally, I recommend that you start encrypting personal data on employee laptops and other electronic devices to alleviate the risks of data security breaches and potentially reduce the need to notify regulators or data subjects if the data are lost.
Please follow-up with this information so that we can discuss further.
You can read previous installments of our Innocents Abroad series here.