“Because if you're sharing data with them, and they have a breach, the ICO and the FCA will be looking…to you to say, well, what did you do to make sure that these guys were up to scratch? That's a particular challenge.”
Conversely, Breavington says a third party could bring a claim against the advice firm if the latter is holding confidential data that is sensitive to the former.
"If that data is compromised or unavailable and that third party suffers loss, then there might be a contractual claim against the breached party, which is separate from, or additional to, any GDPR issues."
To give an example, he says the financial advice firm might process data that is needed by a corporate client to carry out its day to day functioning – such as invoicing customers or paying salaries to staff.
"If that information is unavailable or compromised, the client might suffer loss as it cannot carry out the function for which the data is needed, at least temporarily. That loss might form a claim by the client against the breached financial advice firm, depending on the terms of the contract between them."
Taking out insurance
Insurance can help guard against claims. Something, both Breavington and Snowball advise firms to take out.
“It's a sensible thing to do,” says Snowball, “it's such a significant risk to the business, both from a legal perspective, from a regulatory perspective, and from a reputational perspective, that it's logical that you would look to insure against that risk.”
This specialist insurance comes on top of professional indemnity insurance and is not mandatory, though more and more firms tend to have it, says Snowball.
There are several options for advisers, from covering just specific breaches such as cyber attacks, to a broader policy covering accidental breaches too.
Breavington says: “Depending on the terms of the policy, such cyber insurance could provide cover for potential claims arising out of data breaches but also give the policy holder access to technical forensic assistance, legal advice and PR firms to help when responding to a data breach.
“The expertise of these vendors would help minimise the fallout of a data breach generally whilst also minimising claims received in the wake of an incident.”
But the lawyers warn against blindly relying on the insurance.
"The issues that we usually see are policies that aren't really up to scratch and are quite outdated,” Snowball says.
"But the main thing is, are those policies really stress tested, are they regularly reviewed and kept up to date? I think that's probably one area where firms could do better on the whole.”