'Mega' Data And Privacy Breaches

Author:Ms Charlotte Worlock and Christina Terplan
Profession:Clyde & Co

Recent headlines have been dominated by "mega" breaches involving tens of millions of customers. This article highlights some of the biggest recent US privacy breaches, and considers how a similar incident might affect UK companies.

A large-scale UK breach is inevitable. UK organisations must prepare in advance in order to protect their consumer data and technology systems. Recent US Breaches

The recent hacking of Sony Pictures released sensitive internal documents and emails, and costs are publically estimated at $70-$100 million. In October 2014, hackers at JPMorgan Chase & Co. compromised contact information of 76 million individuals and 8 million small businesses, and there are concerns that the stolen information could be used in phishing attacks to obtain additional personal information sufficient to commit fraud. In September 2014, Home Depot announced that malware had infected its point-of-sale systems, potentially impacting 56 million payment cards; public reports estimate costs at $62 million. Hackers also attacked Target in 2013, stealing 40 million payment cards and contact information of 70 million customers, and damaging Target's reputation and stock prices, leading to the resignation of Target's CEO and chairman. Target estimates final breach-related costs of $148 million.


The UK so far appears to have avoided a large-scale breach incident (although UK organisations generally are not required to report a breach to regulators, suggesting many incidents currently slip below the radar). Nonetheless, a 2014 survey by PWC found that 81% of large UK businesses and 60% of small businesses suffered a breach in the last year, with the average cost nearly doubling since 2013. It is clearly no longer a case of if but when a large-scale breach occurs in the UK, and UK companies should prepare for the following:

Investigative Costs

An experienced privacy lawyer is often engaged in the US as "breach coach", to coordinate the entire breach response, which can lead to lower costs overall and a more effective response. Computer forensic specialists can help to mitigate costs: a US company which appeared from the outside to have suffered a large-scale breach was able to show through forensic analysis that its network was not compromised. Privacy counsel can help a company comply with its various legal obligations: the ICO is already very active in this area, and the draft EU General Data Protection Regulation ("EU Regulation"), which...

To continue reading