Cyber security continues to be headline-grabbing news, particularly in light of the global “ransomware” cyber attack which recently hit the NHS, Telefónica and FedEx. The ransomware reportedly encrypted data on over 300,000 computers in some 150 countries, with hackers threatening to delete data unless a ransom was paid. This latest attack is reported to be the biggest online extortion scheme ever.
The Information Commissioner’s Office (ICO) issued a statement in response to the latest cyber attack to reiterate that “all organisations are required under the Data Protection Act to keep people’s personal data safe and secure.”
Whilst concerns about cyber related risks and data security are not new, the issue is becoming ever more pressing for businesses, not least because of the introduction of the General Data Protection Regulations (GDPR) in May 2018.
The cyber threat
The recent global ransomware attack which hit 47 NHS trusts is not an isolated case. The UK government’s 2017 Cyber Security Breaches Survey found that:
- over two thirds of large firms and SMEs detected a cyber security breach or attack in the last 12 months;
- in the last year, the average business identified 998 breaches; and
- for a large firm, the average cost to the business as a result of a breach is £19,600.[1]
These statistics highlight the fact that cyber attacks are a growing area of risk for businesses. Generally, more businesses are migrating into digital form and on globally interconnected technology platforms. As this trend continues, businesses’ exposure to a cyber attack inevitably increases.
The threat is no longer limited to large organisations. Smaller organisations have not historically been the target of cybercrime but this position has changed in recent years. SMEs are now being targeted by cyber criminals and with increasing frequency.
The consequences
The consequences of a cyber attack can be multiple and far-reaching: disrupted business systems, regulatory fines, compensation claims, reputational damage and loss of consumer trust.
The legal implications in relation to cyber and data security arise primarily from the Data Protection Act 1998 (DPA). The DPA requires organisations to take appropriate technical and organisational security measures to prevent unauthorised or unlawful processing or accidental loss of or destruction or damage to personal data. Under the DPA, the ICO can impose fines of up to £500,000 for breach of this obligation. This is set to dramatically escalate under the GDPR to an upper limit of €20 million or 4% or annual global turnover – whichever is greater.
If appropriate measures have not been taken to keep peoples’ personal data secure and a cyber security breach occurs, organisations risk leaving themselves open to a fine or other enforcement action. This was the case with TalkTalk as discussed in our earlier article “The Only Way is Up – Fining Powers on the Increase for Data Protection Breaches” (21 March 2017). The ICO issued more than £1,000,000 in fines last year for breaches of the DPA. Moreover, personal data owners may seek compensation from organisations for such breaches.
The challenge of compliance with data protection laws is set to potentially increase and become more onerous under the GDPR. The GDPR will supersede the DPA and introduces new and extended obligations for organisations.
Businesses will be legally required to report data breaches that pose a risk to individuals to ICO within 72 hours and in some cases to the individuals affected. Data processors will also have direct obligations in relation to data security for the first time. Another key change is around accountability – the GDPR creates an onus on companies to demonstrate compliance with the data protection principles and put in place comprehensive governance measures.
Mitigating the risks – what should you be doing?
In light of the risks highlighted, it is more essential than ever that organisations protect themselves (and therefore, by extension their consumers), from increasingly sophisticated cyber attacks.
To minimise the risk of a cyber attack and ensure regulatory compliance with the current DPA and the incoming GDPR, businesses should be looking to take the following steps:
- generate awareness within your organisation;
- set up a project team with full board engagement;
- carry out a data inventory and mapping exercise to understand what data you have, what you use it for, where it is held and what third parties are involved in processing data;
- carry out a gap analysis to work out what compliance steps are needed;
- review all relevant policies, procedures and contracts;
- undertake a data privacy impact assessment, if needed;
- prioritise and scope out a cyber security incident response plan;
- implement and rehearse the cyber security incident response plan; and
- train staff, monitor processes, audit and adjust.
[1]https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609186/Cyber_Security_Breaches_Survey_2017_main_report_PUBLIC.pdf (pg. 8)
Amanda Leiu is a trainee solicitor in the Commerce & Technology team at Fox Williams LLP.
