Data security is once again centre stage in the pensions industry. Amid a modern backdrop of heightened digital risk, demonstrated by Capita’s recent cyber attack, a data breach incident can have serious consequences for schemes if not properly addressed and rectified. If a data breach does unfortunately occur, trustees must know how to navigate this

Partner Anna Rogers commented on how to approach a data breach situation, stating: “Pension trustees must rely on third parties to process their data, and no-one is safe from cyber risk. If there is a data breach, affected members may well make claims. Members can claim for non-material losses (e.g. distress), often pursued by specialist claims management firms. GDPR lawyer Alex Dittel of Wedlake Bell says “£3,000 per person would be a typical claim and even if unsuccessful, defending them costs money”. Trustees could fail to recover their losses from the third party because of:

• inadequate contractual terms
• inadequate due diligence by the trustee, or
• actions taken (or inaction) by the trustee following the breach.

“Regulators (ICO and TPR) will be understanding of trustees who have done as much as they could, but their requirements to some extent push in different directions. Notifying members when not required by law may increase risk.

“Now is a good time to refresh training, supplier reviews and readiness to respond.”

Read Anna’s comments in Investment & Pensions Europe, here.