large businesses have experienced a“ significant” hack or data breach. The UK Government’ s Cyber Security Regulation and Incentives Review 2016 reports that within the UK, hacks cause businesses the following types of loss: financial, including costs of remedying – the average cost for a micro business is £ 3,000 and £ 36,000 for a medium to large business.
Secondly, reputational loss: the hacking of TalkTalk in 2015 caused panic amongst customers concerned at the theft of their personal and bank account details, with complaints reaching 200,000 tweets within seven days and trending.
The company is reported to have lost 100,000 customers and faced an overall bill of £ 30 million.
Third type of loss: losses in terms of customer claims for subsequent fraudulent use of customer data.
2018’ s introduction of the long awaited new data protection legislation will bring a new level of risk for businesses who fail to comply with the new law.
To some, this seems like a“ double whammy”: a business suffers all of the costs caused by a hack – and then is fined by the government for being hacked.
Warning: incoming data protection law!
The government’ s response is that business won’ t do anything by itself. Nine out of 10 businesses currently have no incident management plan.
Over 50 per cent of businesses in the UK have taken no action of any sort to protect themselves from hacking – the majority of those who have only did so after a hack.
Separately, government believes businesses have the wrong priority of value. The CSRIR notes that a hacked business’ s first concern is its online presence – will its site be able to function?
Next concern: has any intellectual property or commercially confidential information been compromised? And last( but, to government minds, certainly not least) comes customer data. This is where government wishes to educate business.
Personal data theft is seen as a major enabler for international crime: in 2013 UK authorities recorded data theft as being the starting point for 65 per cent of fraud cases, and the figure has increased rapidly since.
A European Commission study in 2014 calculated the compromise of 640 million personal records – across a selection of countries whose combined population was 523 million.
Government recognises that businesses are dazed and confused, worried about
QUOTABLEQUOTE
The UK Government’ s Cyber Security Regulation and Incentives Review 2016 reports that within the UK, hacks cause businesses the following types of loss: financial, including costs of remedying – the average cost for a micro business is £ 3,000 and £ 36,000 for a medium to large business. Rory Campbell
potentially high costs of security upgrades and unsure how to source proper consultancy.
And so government approach is to blend legal penalties with a solution of sorts. The gatekeepers are the NCSC and the data protection watchdog, the Information Commissioner’ s Office.
The ICO will have increasing powers to fine companies leaking personal data. A major new obligation coming in with the 2018 legislation will be the requirement to notify the ICO of data breaches.
However, the ICO is( and always has been) keen to help businesses who are proactive: their website( details below) provides useful advance advice to businesses who want to prepare for next year’ s law change. Particularly recommended is their Preparing for the General Data Protection Regulation: 12 steps to take now.
The NCSC provides a set of online tools and advice for businesses to help understand and act on cyber security risks. It provides cyber risk management health checks, and advice on certified security services and training.
Legal penalty is not the only driver for businesses to take advice, consult these bodies and comply.
My bet is that insurers will soon force business to pay attention. PI and D & O claims traditionally covered privacy liability claims.
However, the scale of the risk for insurers just got miles bigger: the 2015 case of Vidal Hall v Google determined for the first time that data breach plaintiffs no longer had to prove financial loss, but could win a claim on the basis of distress alone.
The floodgates of claims for insurers were opened. The incoming obligation on businesses to notify the ICO of data breach claims won’ t help.
The natural response of the insurance market will surely be to define the scope of their claims more tightly, and as a minimum to require compliance with data law.
What to do?
So: what do you do? Answer: recognise that government has shown you a road forward, with legislation as a stick to keep you to your path. You need to follow the road as far as possible, and be seen to be on the road
Sounds great, but what does that mean? It means identifying someone in your business to take the lead on this over the next few years.
They need to understand the commercial risks of hacking, and the legal consequences of a data breach. They should familiarise themselves with the NCSC and ICO websites, and ideally secure some form of NCSC certification.
IT security requirements should be documented( and read!) and incident management plans created. The ICO’ s 12 Steps sets out practical actions that should be taken before 2018.
In conclusion, the current growth of hacking needs to be seen against the background of the forthcoming fundamental change in data protection law. From now on, it will be your responsibility as a business to comply with the law – and to demonstrate that you comply.
So, this article – it starts on a high note, but then collapses into portentous warnings of bad times ahead? Hopefully not. This is the first in a series of articles in which I and my colleagues will be explaining the incoming legislation, and highlighting practical ways in which you may prepare for the law change.
And, if you’ ve read this far, congratulations! You’ ve achieved the first of the ICO’ s 12 Steps: being aware of the problem. NCSC website: www. ncsc. gov. uk ICO website: ico. org. uk 12 Steps: ico. org. uk / media / fororganisations / documents / 1624219 / preparingforthegdpr12steps. pdf Rory Campbell is a director at Forde Campbell LLC, the Northern Irish law firm specialising in data protection and internet law.
www. businessfirstonline. co. uk
43