Pension

Capita Cyber Security Breaches – What Do They Mean For Pension Scheme Trustees? – Whistleblowing



To print this article, all you need is to be registered or login on Mondaq.com.

What happened?

Capita, a provider of professional services including pensions
administration services, recently suffered cyber security incidents
affecting the personal data held by approximately 90 organisations,
including a number of pension schemes. In particular, pension
schemes using Capita’s Hartlink online portal may be
affected.

How have regulators responded?

The Pensions Regulator (the
“Regulator”) published a statement on 12 May calling on schemes that
use Capita’s services to check whether their data could be
affected. The statement also covered:

  • Communicating with members about the incidents.

  • Monitoring increased or unusual transfer requests.

  • Data protection breach notification obligations.

  • The importance of robust cyber security and business continuity
    plans.

The Information Commissioner (“ICO”)
also published a statement on 25 May encouraging organisations
that use Capita’s services to determine if the personal data
they hold has been affected and reminding them of their data breach
reporting obligations.

What should pension scheme trustees being doing?

If you use Capita’s services and have not already been
contacted by Capita, you should contact them as a matter of urgency
to establish whether your data is affected. If personal data under
your control has been affected, you may need to report this to the
ICO (using their online tool). As a data controller you must
report personal data breaches to the ICO within 72
hours
of becoming aware of the breach. You may then also
need to report the breach to the affected data subjects
(individuals) without undue delay. Lastly, you may
also need to report the breach to the Regulator under the
whistleblowing legislation.

More generally, all trustees, whether or not they use
Capita’s services, should ensure they are complying with the
security requirements of UK data protection legislation, and taking
all reasonable steps to prevent cyber attacks which, if they
happen, can be costly and high risk.

The Regulator has published guidance setting out the steps that it expects
trustees to take in relation to cyber security. While this guidance
is not binding and there is no penalty for failing to comply with
it, trustees should review it and consider whether there are any
changes they wish to make to their cyber security arrangements as a
matter of good practice.

Employer input

To the extent that breaches also impact the employer,
communication between the trustees and the employer will be
necessary. For example, the trustees may be required to notify the
employer under a data sharing agreement with the employer or the
pension scheme’s administration agreement.

How can we help you?

Mayer Brown can assist you in a range of ways:

Responding to breaches. We can assist you with
responses to cyber security breaches, including assessing your
reporting requirements. We can also assist with drafting or
reviewing your communications to the ICO, the Regulator, and any
affected individuals.

Reviewing current arrangements. In light of the Capita
incidents, it is important generally for you to keep your current
cyber security and data protection arrangements under review. We
can assist you by reviewing your cyber security and data protection
policies, the processes that you have in place (including incident
response plans), and security or data protection arrangements with
third party providers.

Keeping up to date. Cyber security is a fast developing
area and, as recent events show, it is moving closer into the
pensions sphere. Therefore keeping up to date with cyber security
developments will be important in helping to ensure you have
resilient structures in place. We can assist by providing you with
training or knowledge update sessions. We can also support you in
running a role play cyber security breach response to test your
response process.

Originally published by 08 June, 2023

Visit us at
mayerbrown.com

Mayer Brown is a global services provider comprising
associated legal practices that are separate entities, including
Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP
(England & Wales), Mayer Brown (a Hong Kong partnership) and
Tauil & Chequer Advogados (a Brazilian law partnership) and
non-legal service providers, which provide consultancy services
(collectively, the “Mayer Brown Practices”). The Mayer
Brown Practices are established in various jurisdictions and may be
a legal person or a partnership. PK Wong & Nair LLC
(“PKWN”) is the constituent Singapore law practice of our
licensed joint law venture in Singapore, Mayer Brown PK Wong &
Nair Pte. Ltd. Details of the individual Mayer Brown Practices and
PKWN can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks
of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights
reserved.

This
Mayer Brown
article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.

POPULAR ARTICLES ON: Employment and HR from UK

Employment Law General Update – May 2023

Dixcart UK

This month’s news provides an update on the effect of the Retained EU Law Bill and the scrapping of the sunset clause, a new smart regulation from the DBT, a report on the post-pandemic economic growth…

UK Shortage Occupation List 2023

Richmond Chambers Immigration Barristers

When sponsoring a worker for a particular role, employers need to understand how to apply for a sponsor licence and that the worker is sponsored for a job in an eligible standard occupational classification (‘SOC’)…

Employment Law Case Update – May 2023

Dixcart UK

This month’s summary includes a look at the pools used for comparison in discrimination cases, considering all the options before dismissing for redundancy, taking a look at the special circumstances

Preparing For Family Friendly Workplaces

Herrington Carmichael

Several long-awaited pieces of legislation aimed at creating a more family friendly workplace received Royal Assent last week and once in force, these will extend the current period of redundancy protection for parents…

Managing Whistleblowing Reports

Norton Rose Fulbright

Dealing with whistleblowing incidents is complex, there are usually many moving parts and a regulatory backdrop to consider. They will never arise at the “right” time and they will often call for interactions…



Source link

Leave a Response