The media is full of reports reminding us to take data security seriously. In the US, law suits are being brought by shareholders against directors in the wake of data breaches. In the EU, the General Data Protection Regulation (GDPR) will impose increased obligations with effect from 2018. It is abundantly clear that betting and gaming businesses cannot afford to sit back and hope that they will not be the next to suffer a high profile data breach.
The risks posed by data breaches are by no means new, but the way in which betting and gaming businesses prepare for - and react to - data breaches is in need of a new approach. The data held by companies in this sector is one of their most valuable assets, alongside their reputation and brand. While the stakes are obvious, the procedures once a breach has been identified and the mitigation of damage are sometimes just an afterthought.
One of the key changes under the GDPR is that organisations will need to produce documented evidence of compliance, as opposed to simply asserting compliance. Another is that while private sector bodies by and large are not currently required to notify the Information Commissioner of a data breach, in future all breaches where an individual is likely to suffer some form of damage (such as ID theft) will need to be notified. This is in addition to the requirement on companies regulated by the Gambling Commission to notify any breach in information security that adversely affects the confidentiality of customer data. The time has therefore come for boardrooms to take action and turn compliance into a competitive advantage.
There are numerous steps that can be taken to demonstrate a proactive approach to data security and to mitigate the associated risks. Here are a few of the practical steps that executives should be considering:
- Put data security on the agenda – data security should be a regular feature on board meeting agendas. Executives should draw on the expertise of internal IT specialists whose input will form an integral part of the discussions. It might even be worthwhile inviting external specialists to present to the board on the topic of data security and the identification, evaluation and mitigation of the risks associated with a data breach.
- Appoint a dedicated response team – this team should be managed by someone who is sufficiently senior to make decisions quickly in the event of an incident. Clear reporting lines should be established, and the wider team should almost certainly include an appropriate representative from the IT division. You should also consider appointing a team administrator who can take minutes of meetings and calls. Details of the team and how to contact them should be shared with the wider business, so that everyone knows what to do in the event of a suspected or actual breach.
- Implement/update data security and data breach policies – ensure that these are carefully tailored to suit the business. Effective implementation is key, and will involve the training of staff at all levels to ensure that everyone within the business understands the procedure and their role in the event of a breach. It is also important to test these policies; clearly, not all types of data breach can be tested, but the only way to know if your policies work in practice is to run live testing.
- Review existing contracts – revisit existing customer and supplier contracts to ensure that any limitations/exclusions of liability for data breaches are appropriate, or make required adjustments. If third parties process data on behalf of the business (for example, hosting or data back-up) ensure that you are comfortable with the extent of their obligations to you, the adequacy of their data protection policies and your right to terminate if things go wrong.
- Consider cyber insurance - while cyber insurance policies are being used on a large scale in the US, European companies have been slow to follow suit. This is due to a number of factors, such as a lack of awareness and understanding of the relevant cover, and high premiums due to low uptake. However, the insurance market has now developed a dedicated product line to provide businesses with additional protection from the potential consequences of cyber attacks. Businesses can purchase cyber-specific cover in the form of extensions to traditional policies, such as D&O cover, or as standalone cyber policies. Cyber insurance policies can be tailored to specific businesses, but generally provide cover for the following risks:
- Cyber crime/Theft of intellectual property/Commercially sensitive information/Extortion
- Business disruption/interruption
- Data and software deletion/destruction
- Direct financial loss - theft of funds/extortion payment
- Third-party liabilities (customers, employees, shareholders’ actions) and regulatory actions
- Reputational damage
- Investigation/response costs
In addition to providing financial protection, cyber insurance can also be beneficial for businesses as insurers will help firms in reducing or preventing losses by sharing best practice and insights from claims and near-misses across their client base. This is important for the development of protection against cyber risk, as incidents are often unreported in public.
- Reputation management - in the event of a threatened or actual cyber attack involving data loss, you will be under intense pressure to make swift decisions on how much to communicate and to whom at a time when you are unlikely to have full details. In the event of a breach, you will need to decide when and how much information to share. Sharing too much, too early may exacerbate the crisis needlessly for example, where a data loss is not as significant as first thought. Sharing too little, too late means you risk damaging your brand by being perceived as slow to react and secretive. A decision on the timing of communications may be taken out of your hands if you are required to inform the relevant regulator of the breach or if hackers start publishing the stolen data. Your reputational strategy needs to be fully integrated with other elements of your data breach policy. Clearly, the nature and extent of the breach will dictate the approach adopted, but there is certainly value in identifying your various stakeholders (customers, shareholders and employees) and then crafting appropriate messaging in advance.
If you have any questions arising from this, please speak to your usual Mishcon contact or a member of our Betting and Gaming Group.