Motor Matters - Cyber security and data breaches - New legal regime(s) - dealers beware

Published: 20/04/2017

One of the “hot topics” from a recent Motor Forum which Birketts co-hosted was “Cyber Security Breaches”.

Under the current legal regime data breaches have led to regulatory liability, including:

- fines in excess of £3 million by the Financial Conduct Authority (FCA);
- fines of up to £325k by the Information Commissioners Office (ICO),
and legal liability can also be incurred through being sued for breach of contract, breach of statutory obligations, breach of various types of duty, or for negligence – and beyond! Directors could also, theoretically, be personally liable if the data breach could be linked to breach of directors’ duties.

Whilst, to date, litigation from data breaches has been pretty limited in the UK (unlike the US), this may well change:

  1. On the back of a recent Court of Appeal case which found that the current bar – whereby an individual cannot recover damages for distress caused by breach of the Data Protection Act unless such individual has also suffered financial loss – is incompatible with EU law. If the Supreme Court upholds this decision on appeal it seems likely there will be many more claims for damages for data breaches going forward than we have seen to date; and
  2. The main event itself – the “GDPR” (The General Data Protection Regulation), which comes in from 25 May 2018.
The “headlines” on the GDPR include:

  • Fines increased, so up to €20m for “serious breach” and €10m for other breaches (plus other sanctions, eg. remediation notices and undertakings)
  • Data breaches must be reported:
- to the ICO within 72 hours (unless the breach is unlikely to result in any risk to freedoms and rights of individuals) 
- to data subjects without undue delay (if high risk of harm to individuals)

  • New consent requirements – the ICO Guidance makes clear that “Silence, pre-ticked boxes or inactivity does not constitute consent”. Most (but not all!) commentators are interpreting this so as to mean that there now has to be a shift to an appropriate “opt in” tick box regime – and that these “opt in” consents should be obtained prior to May 2018!
  • Increased direct claims from individuals expected (including for distress and upset when no financial harm)
  • Increased claims from other businesses expected too (in the wider legal liability areas referred to above)
The National Franchised Dealers Association (NFDA) and Trusted Dealers plan to produce a “GDPR toolkit” to help dealers prepare for the legislation. Birketts also has its own Data Protection specialist team, led by Kitty Rosser. If you would like a free copy of our guide to the GDPR, or to speak to Kitty, please contact Mark Henry

The content of this article is for general information only. For further information please contact the Birketts' Motor Industry Team. Law covered as at April 2017.

People Finder