large businesses have experienced a “ significant ” hack or data breach . The UK Government ’ s Cyber Security Regulation and Incentives Review 2016 reports that within the UK , hacks cause businesses the following types of loss : financial , including costs of remedying – the average cost for a micro business is £ 3,000 and £ 36,000 for a medium to large business .
Secondly , reputational loss : the hacking of TalkTalk in 2015 caused panic amongst customers concerned at the theft of their personal and bank account details , with complaints reaching 200,000 tweets within seven days and trending .
The company is reported to have lost 100,000 customers and faced an overall bill of £ 30 million .
Third type of loss : losses in terms of customer claims for subsequent fraudulent use of customer data .
2018 ’ s introduction of the long awaited new data protection legislation will bring a new level of risk for businesses who fail to comply with the new law .
To some , this seems like a “ double whammy ”: a business suffers all of the costs caused by a hack – and then is fined by the government for being hacked .
Warning : incoming data protection law !
The government ’ s response is that business won ’ t do anything by itself . Nine out of 10 businesses currently have no incident management plan .
Over 50 per cent of businesses in the UK have taken no action of any sort to protect themselves from hacking – the majority of those who have only did so after a hack .
Separately , government believes businesses have the wrong priority of value . The CSRIR notes that a hacked business ’ s first concern is its online presence – will its site be able to function ?
Next concern : has any intellectual property or commercially confidential information been compromised ? And last ( but , to government minds , certainly not least ) comes customer data . This is where government wishes to educate business .
Personal data theft is seen as a major enabler for international crime : in 2013 UK authorities recorded data theft as being the starting point for 65 per cent of fraud cases , and the figure has increased rapidly since .
A European Commission study in 2014 calculated the compromise of 640 million personal records – across a selection of countries whose combined population was 523 million .
Government recognises that businesses are dazed and confused , worried about
QUOTABLEQUOTE
The UK Government ’ s Cyber Security Regulation and Incentives Review 2016 reports that within the UK , hacks cause businesses the following types of loss : financial , including costs of remedying – the average cost for a micro business is £ 3,000 and £ 36,000 for a medium to large business . Rory Campbell
potentially high costs of security upgrades and unsure how to source proper consultancy .
And so government approach is to blend legal penalties with a solution of sorts . The gatekeepers are the NCSC and the data protection watchdog , the Information Commissioner ’ s Office .
The ICO will have increasing powers to fine companies leaking personal data . A major new obligation coming in with the 2018 legislation will be the requirement to notify the ICO of data breaches .
However , the ICO is ( and always has been ) keen to help businesses who are proactive : their website ( details below ) provides useful advance advice to businesses who want to prepare for next year ’ s law change . Particularly recommended is their Preparing for the General Data Protection Regulation : 12 steps to take now .
The NCSC provides a set of online tools and advice for businesses to help understand and act on cyber security risks . It provides cyber risk management health checks , and advice on certified security services and training .
Legal penalty is not the only driver for businesses to take advice , consult these bodies and comply .
My bet is that insurers will soon force business to pay attention . PI and D & O claims traditionally covered privacy liability claims .
However , the scale of the risk for insurers just got miles bigger : the 2015 case of Vidal Hall v Google determined for the first time that data breach plaintiffs no longer had to prove financial loss , but could win a claim on the basis of distress alone .
The floodgates of claims for insurers were opened . The incoming obligation on businesses to notify the ICO of data breach claims won ’ t help .
The natural response of the insurance market will surely be to define the scope of their claims more tightly , and as a minimum to require compliance with data law .
What to do ?
So : what do you do ? Answer : recognise that government has shown you a road forward , with legislation as a stick to keep you to your path . You need to follow the road as far as possible , and be seen to be on the road
Sounds great , but what does that mean ? It means identifying someone in your business to take the lead on this over the next few years .
They need to understand the commercial risks of hacking , and the legal consequences of a data breach . They should familiarise themselves with the NCSC and ICO websites , and ideally secure some form of NCSC certification .
IT security requirements should be documented ( and read !) and incident management plans created . The ICO ’ s 12 Steps sets out practical actions that should be taken before 2018 .
In conclusion , the current growth of hacking needs to be seen against the background of the forthcoming fundamental change in data protection law . From now on , it will be your responsibility as a business to comply with the law – and to demonstrate that you comply .
So , this article – it starts on a high note , but then collapses into portentous warnings of bad times ahead ? Hopefully not . This is the first in a series of articles in which I and my colleagues will be explaining the incoming legislation , and highlighting practical ways in which you may prepare for the law change .
And , if you ’ ve read this far , congratulations ! You ’ ve achieved the first of the ICO ’ s 12 Steps : being aware of the problem . NCSC website : www . ncsc . gov . uk ICO website : ico . org . uk 12 Steps : ico . org . uk / media / fororganisations / documents / 1624219 / preparingforthegdpr12steps . pdf Rory Campbell is a director at Forde Campbell LLC , the Northern Irish law firm specialising in data protection and internet law .
www . businessfirstonline . co . uk
43