As an Optionis customer, how does the ClearSky and Parasol hack affect me?

Contractor’s Question: I'm a former Parasol contractor and I currently have my personal service company setup with ClearSky Contractor Accounting. A little worryingly, I have direct feeds from the accountancy firm straight into my limited company bank account.

Can you explain what are the material risks that myself, my company and my employees face as a result of the Optionis data leak? I'm seriously considering taking legal action against the group if the risks are considerable, but I'm afraid I might not fully understand their extent.

Expert’s Answer: Both Parasol and ClearSky Contracting are owned by the Optionis Group and all three are ‘data-controllers.’

So for you to begin to grasp the potential ramifications, it might be helpful for you to note the security, integrity, and confidentiality obligations that controllers have.

Two GDPR Articles to note

Article 5(1)(f) of the UK GDPR imposes an obligation on controllers to ensure the ‘integrity and confidentiality’ of personal data.

It says that personal data shall be:

'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'

And Article 32(1) of the UK GDPR, further states:

‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.’

Appropriate measures?

This means businesses need to take appropriate measures based on the nature of data processed and their areas of operation. Such measures can include organisational measures such as staff training and operational procedures, as well as technical measures such as encryption.

If it is found that an entity processing personal data has fallen below this threshold, then this could be deemed to be a GDPR breach. But it would be important to understand what the entity did/did not implement, to ascertain if this is a failing or not.

Suing, complaining, mitigating

In terms of recourse (which you mention in your question), it is of course possible to take action via the courts. But you would need to show the losses that have been suffered. This is likely to be longwinded and expensive, without any certain outcome. You can also file a complaint with the Information Commissioner’s Office and have your employees or other affected individuals do the same.

As we understand it, the ICO is investigating the Optionis data breaches and it might be worth waiting for an official outcome before deciding what to do next.

As for mitigation measures on your side, we recommend that you work out and understand what data has been potentially compromised, and we suggest you consider taking steps to resolve that potential loss on your end, such as notifying banks, changing passwords and creating new log-in information.

The expert was Charlotte Gerrish, founding lawyer at data law firm Gerrish Legal.