Financial service regulators are increasingly willing to involve themselves in the area of data protection. When they do so, the attitude they take to imposing punishment ought to remind us of a very old legal maxim. Collas Crill Partners Wayne Atkinson discusses this below in the latest contribution to Compliance Matters by experts in Guernsey's legal sector.
I have been thinking a lot recently about an old English legal case called Rylands v Fletcher. To be brief, Rylands v Fletcher was a decision by the House of Lords in England and Wales which established a whole new area of English tort law - that of non-contractual liability. In the middle of the 19th century Mr Rylands paid some people, who turned out to be chancers, to build a reservoir. Rylands' reservoir almost immediately burst and flooded a neighbouring mine, run by Fletcher, causing significant damage. Think of a particularly bad episode of Poldark and you'll have the general picture of what might have happened.
Owing to the facts of the case, neither a pure negligence claim or a pure nuisance claim really worked for Fletcher, but he convinced a judge (Baron Bramwell) that he had a right to enjoy his land without someone else's water flooding it. The argument Baron Bramwell put forward was affirmed and refined by both the Court of Exchequer Chamber and the House of Lords, leading to the development of the rule in Rylands v Fletcher, which states; "the person who for his own purposes brings on his lands and collects and keeps there anything likely to do mischief if it escapes, must keep it in at his peril, and, if he does not do so, is prima facie answerable for all the damage which is the natural consequence of its escape."
For most lawyers, particularly those in the regulatory sphere, Rylands v Fletcher is a bit of forgotten history from university, a case almost unique on its facts and irrelevant to the modern world. I would argue that there is now something that all regulated businesses bring on their lands, collect and keep there that is very likely to do mischief if it escapes: personal data.
Put simply, the rule in Rylands v Fletcher says that if you horde something in your possession likely to cause damage if it escapes (be it water, noxious chemicals, tigers or electricity) and fail to keep control of it, the resultant damage is your responsibility. The liability is what lawyers call strict liability. There is no need to prove that any fault caused the escape. Why should a similar principal not apply to data?
It is important to note that the various recent successful claims made for data breaches are not applications of the rule in Rylands v Fletcher but of the data protection laws and financial service regulations. However, if we think about our data collection through the lens of Mr Fletcher's bad luck, it helps explain a lot of recent regulatory thinking and judgments. It is also a way of thinking about how scary the data you hold can be for you and its 'subjects.'
The most high-profile of those cases has been that of Morrisons. In 2014 a Morrisons employee by the name of Skelton, with his own personal animus against the supermarket chain, went rogue and posted the personal data of thousands of Morrisons employees online. Skelton had obtained the data by copying it from his work computer and received a sentence of eight years in prison for various criminal offences.
It was held that there was an unbroken thread that linked Skelton's work to the disclosure, and therefore what happened was a seamless and continuous series of events. It was for this reason that the appeal by Morrisons was dismissed. The firm was vicariously liable for the acts of Mr Skelton even though he did them of his own accord and not Morrisons'.
Among the comments made by the judges was this: "Suppose he had misused the data so as to steal a large sum of money from one employee's bank account...If Morrisons' arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally." This possibility was clearly considered unacceptable. Morrisons had collated and controlled the data and so a degree of culpability attached itself to them, notwithstanding the excessiveness of Skelton's actions.
In another recent-ish case involving a supermarket, data and a big fine, the Financial Conduct Authority fined Tesco Personal Finance plc (Tesco Bank) £16.4 million for "failing to exercise due skill, care and diligence in protecting its personal current account holders" against a cyber attack in November 2016.
Per the FCA press release, attackers exploited deficiencies in Tesco Bank's design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank's personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26 million. An FCA spokesperson talked about how "The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks...Customers should not have been exposed to the risk at all."
Note that this was the FCA, not a data-protection regulator. Financial service regulators are more and more willing to involve themselves in this area, viewing proper information control as an essential aspect of a regulated business.
The FCA based its fine on a breach of "principle for business" 2, which requires a firm to conduct its business with due skill, care and diligence. In Guernsey, our own financial services regulator, the Guernsey Financial Services Commission, has made similar noises about how a data breach may also result in a breach of financial services regulation as de facto evidence of a failure to meet regulatory care, skill or resourcing requirements. It is also talking to firms about their cyber-security arrangements.
So, what to do? Compliance professionals who are reading this will probably have already muttered to themselves about the need to acquire personal data being a regulatory need – we simply must acquire and hold copies of passports, bank statements and other personal data to do our jobs. I'm not saying that we should not collect it, I am simply saying that we should be cautious about how and why we collect it.
Many businesses are still far from compliant with the General Data Protection Regulation. Even at some of those businesses that rolled out programmes successfully a half year ago, there are still mutterings about the cost and value of compliance.
The Rylands v Fletcher case is a helpful analogy for anyone who wants to consider these issues. Sometimes a business cannot avoid harbouring some hazardous material. By the same token we sometimes have to collate data. In doing so we absolutely must collate it wisely, securely and only to the extent necessary - this, funnily enough, is a couple of the data protection principles paraphrased.
For a long time, data has been treated like gold. Businesses instinctively want as much of it as possible, hoarding it whether they have an immediate use for it or not. That probably used to make sense in the old days. It was cheap to store and may well come in useful later on when someone came up with the right analytical questions or proposals to make use of it. The most recent case law, legislation and regulatory decisions, however, are all telling us the same thing: we should be treating data more like water or electricity. It is useful, in fact it's essential, but it can also be dangerous. You have to treat it carefully and use it where necessary. If you're going to keep lots of it lying around your business, you should be taking special precautions and you should be ready for the consequences if and when it leaks out. Those consequences can, as these cases show, be so severe that they more than justify a detailed, proper and fullsome data security programme.
The original version of this article was first published in Compliance Matters, 24 November 2018.
For more information about Guernsey's finance industry please visit www.weareguernsey.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.