Capita, a provider of professional services including pensions administration services, recently suffered cyber security incidents affecting the personal data held by approximately 90 organisations, including a number of pension schemes. In particular, pension schemes using Capita’s Hartlink online portal may be affected.
How have regulators responded?
The Pensions Regulator (the “Regulator”) published a statement on 12 May calling on schemes that use Capita’s services to check whether their data could be affected. The statement also covered:
- Communicating with members about the incidents.
- Monitoring increased or unusual transfer requests.
- Data protection breach notification obligations.
- The importance of robust cyber security and business continuity plans.
The Information Commissioner (“ICO”) also published a statement on 25 May encouraging organisations that use Capita’s services to determine if the personal data they hold has been affected and reminding them of their data breach reporting obligations.
What should pension scheme trustees being doing?
If you use Capita’s services and have not already been contacted by Capita, you should contact them as a matter of urgency to establish whether your data is affected. If personal data under your control has been affected, you may need to report this to the ICO (using their online tool). As a data controller you must report personal data breaches to the ICO within 72 hours of becoming aware of the breach. You may then also need to report the breach to the affected data subjects (individuals) without undue delay. Lastly, you may also need to report the breach to the Regulator under the whistleblowing legislation.
More generally, all trustees, whether or not they use Capita’s services, should ensure they are complying with the security requirements of UK data protection legislation, and taking all reasonable steps to prevent cyber attacks which, if they happen, can be costly and high risk.
The Regulator has published guidance setting out the steps that it expects trustees to take in relation to cyber security. While this guidance is not binding and there is no penalty for failing to comply with it, trustees should review it and consider whether there are any changes they wish to make to their cyber security arrangements as a matter of good practice.
To the extent that breaches also impact the employer, communication between the trustees and the employer will be necessary. For example, the trustees may be required to notify the employer under a data sharing agreement with the employer or the pension scheme’s administration agreement.
How can we help you?
Mayer Brown can assist you in a range of ways:
Responding to breaches. We can assist you with responses to cyber security breaches, including assessing your reporting requirements. We can also assist with drafting or reviewing your communications to the ICO, the Regulator, and any affected individuals.
Reviewing current arrangements. In light of the Capita incidents, it is important generally for you to keep your current cyber security and data protection arrangements under review. We can assist you by reviewing your cyber security and data protection policies, the processes that you have in place (including incident response plans), and security or data protection arrangements with third party providers.
Keeping up to date. Cyber security is a fast developing area and, as recent events show, it is moving closer into the pensions sphere. Therefore keeping up to date with cyber security developments will be important in helping to ensure you have resilient structures in place. We can assist by providing you with training or knowledge update sessions. We can also support you in running a role play cyber security breach response to test your response process.