GDPR A law with unintended consequences?
The new General Data Protection Regulation may have serious implications for those in the business of Mergers and Acquisitions. Richard Dutton highlights the risks.
Data on the Dark Web
Lurking beneath the world-wide-web which has become such an integral part of everyday business life is its sinister relative – the dark web. Here you will find a marketplace where traders have no identity and a product for sale that will potentially cost UK Plc billions of pounds.
Data is that product up for sale on the dark web – unlawfully obtained data. One such example might include the personal login details of the CEO to the network of his Company ‘ABC’, along with over a hundred other items of data providing access to different parts of Company ABC’s network.
Historically, the hacker responsible for this breach might have uploaded a malware package, virus or Trojan horse. More recently these cyber thieves have demanded some Bitcoin in exchange for not shutting down the network or deleting the entire customer database. This is ransomware.
A new liability dimension with GDPR
‘The GDPR,’ says Dave Johnston, UK head of cyber security specialist BlueVoyant, ‘with its draconian sanctions and breach reporting requirements, introduces another dimension.
‘Once you are aware the data has been leaked to the dark web, all you need to do is threaten Company ABC with disclosure to the Regulator or sell the data back to them.’
Imagine the scenario though if Company ABC was the acquisition target of Company DEF and the latter became aware of the data breach. Apart from potentially destroying shareholder value in Company ABC, how does the acquiring Company DEF assess its contingent liabilities?
Dean Armstrong QC, author of ‘Cyber Security; Law and Practice’ and Chairman of Elias Partnership believes that the potential for liability under the GDPR has not yet been fully considered or assessed.
A contingent liability is a potential liability that may occur, depending on the outcome of an uncertain future event. A contingent liability is recorded in the accounting records if the contingency is probable and the amount of the liability can be reasonably estimated.
‘A data breach is certainly probable but under GDPR can the amount of liability be reasonably estimated?’ asks Armstrong.
‘How would a warranty which is often limited to a fixed amount,” continues Armstrong, “cater for fines under the GDPR which could stretch up to 4% of global turnover? This is going to make it extremely difficult for purchasers to assess their contingent liabilities. Inevitably the GDPR will challenge the construction of effective and acceptable disclosure letters. It is going to have a profound effect on M&A activity.’
Impact on share price
Johnston suggests that the consequences could be even more ominous, as knowledge of these dark web data breaches will provide opportunities for threat actors to manipulate share prices (and markets) at just the right time to suit a corporate predator. ‘There are significant amounts of data on the dark web that, when used in conjunction with the relevant articles in the GDPR, have the potential to become a formidable agent in a new form of corporate warfare’.
Armstrong warns that it won’t just be the threat of the sanctions the Regulator can impose under Article 83 that the Company CEO needs to worry about. Article 82 provides for any person who has ‘suffered material or non-material damage as a result of a breach of the regulation’ to seek compensation. ‘This provision,’ maintains Armstrong, ‘will certainly be tested in the courts by proactive claims management companies and consumer interest groups – representing individuals as well as bringing class actions.’
Both Johnston and Armstrong agree that the nature of these threats to UK Plc is very real. ‘It is not just the threat of the fines; the disruption to business as usual in having to respond to a complaint when the ICO come knocking at the door will consume the Board and senior managers for months,’ says Johnston.
GDPR readiness – what’s the right question?
Armstrong is equally candid. ‘CEOs that are asking their organisation: “Are we GDPR ready?” are asking the wrong question. The proper exam question should be “Do we have a legally defensible position?”‘
‘In the cyber world we now live in,’ says Johnston, ‘it is commonly accepted that there are only two types of companies – those that have been breached and those that will be’.
Whichever category you fall into, the way you have prepared for and are monitoring your business under the GDPR will have a significant impact on the future value of your company.
Director, Elias Partnership