Capita Cyber Security Breaches – What Do They Mean For Pension Scheme Trustees? – Whistleblowing

What happened?

Capita, a provider of professional services including pensions
administration services, recently suffered cyber security incidents
affecting the personal data held by approximately 90 organisations,
including a number of pension schemes. In particular, pension
schemes using Capita’s Hartlink online portal may be
affected.

How have regulators responded?

The Pensions Regulator (the
“Regulator”) published a statement on 12 May calling on schemes that
use Capita’s services to check whether their data could be
affected. The statement also covered:

• Communicating with members about the incidents.




• Monitoring increased or unusual transfer requests.




• Data protection breach notification obligations.




• The importance of robust cyber security and business continuity
  plans.

The Information Commissioner (“ICO”)
also published a statement on 25 May encouraging organisations
that use Capita’s services to determine if the personal data
they hold has been affected and reminding them of their data breach
reporting obligations.

What should pension scheme trustees being doing?

If you use Capita’s services and have not already been
contacted by Capita, you should contact them as a matter of urgency
to establish whether your data is affected. If personal data under
your control has been affected, you may need to report this to the
ICO (using their online tool). As a data controller you must
report personal data breaches to the ICO within 72
hours of becoming aware of the breach. You may then also
need to report the breach to the affected data subjects
(individuals) without undue delay. Lastly, you may
also need to report the breach to the Regulator under the
whistleblowing legislation.

More generally, all trustees, whether or not they use
Capita’s services, should ensure they are complying with the
security requirements of UK data protection legislation, and taking
all reasonable steps to prevent cyber attacks which, if they
happen, can be costly and high risk.

The Regulator has published guidance setting out the steps that it expects
trustees to take in relation to cyber security. While this guidance
is not binding and there is no penalty for failing to comply with
it, trustees should review it and consider whether there are any
changes they wish to make to their cyber security arrangements as a
matter of good practice.

Employer input

To the extent that breaches also impact the employer,
communication between the trustees and the employer will be
necessary. For example, the trustees may be required to notify the
employer under a data sharing agreement with the employer or the
pension scheme’s administration agreement.

How can we help you?

Mayer Brown can assist you in a range of ways:

Responding to breaches. We can assist you with
responses to cyber security breaches, including assessing your
reporting requirements. We can also assist with drafting or
reviewing your communications to the ICO, the Regulator, and any
affected individuals.

Reviewing current arrangements. In light of the Capita
incidents, it is important generally for you to keep your current
cyber security and data protection arrangements under review. We
can assist you by reviewing your cyber security and data protection
policies, the processes that you have in place (including incident
response plans), and security or data protection arrangements with
third party providers.

Keeping up to date. Cyber security is a fast developing
area and, as recent events show, it is moving closer into the
pensions sphere. Therefore keeping up to date with cyber security
developments will be important in helping to ensure you have
resilient structures in place. We can assist by providing you with
training or knowledge update sessions. We can also support you in
running a role play cyber security breach response to test your
response process.

Originally published by 08 June, 2023

Visit us at
mayerbrown.com

Mayer Brown is a global services provider comprising
associated legal practices that are separate entities, including
Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP
(England & Wales), Mayer Brown (a Hong Kong partnership) and
Tauil & Chequer Advogados (a Brazilian law partnership) and
non-legal service providers, which provide consultancy services
(collectively, the “Mayer Brown Practices”). The Mayer
Brown Practices are established in various jurisdictions and may be
a legal person or a partnership. PK Wong & Nair LLC
(“PKWN”) is the constituent Singapore law practice of our
licensed joint law venture in Singapore, Mayer Brown PK Wong &
Nair Pte. Ltd. Details of the individual Mayer Brown Practices and
PKWN can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks
of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights
reserved.

This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.