The recent Global Fraud Report by Kroll last month revealed that 75 per cent of companies fell victim of fraud in the past year, a large proportion of these incidents involving the theft of personal data under the control of a company by someone “on the inside”.
This, coupled with the wide-reaching and high profile nature of recent external cyber attacks, such as TalkTalk, demonstrates how vulnerable global businesses who have customer data at their core can be, and the human impact these breaches can have.
Given the range of threats, coupled with the sanctions available to European regulators where companies suffer a breach, what precisely should businesses be doing to reduce their risk profile in the pre- and post-incident environment?
No one-size-fits all
In the UK, whilst many correctly look to the UK Data Protection Act 1998 (“DPA”) for guidance on such issues, there is no “one-size-fits-all” solution to be found in terms of what companies should be doing to reduce risk. The DPA requires a risk-based approach to security and requires that organisations take: “appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The measures taken by an organisation to protect their business from threats both inside and out will therefore depend largely on the size and nature of a business, the amount of data it processes, and the sensitivity of that data.
Best practice tips
Despite there being a lack of prescriptive standards to adhere to, nevertheless, some best practice tips promoted both by the UK privacy watchdog (the Information Commissioner’s Office or “ICO”) and CESG (the information security arm of GCHQ) that will help reduce cyber security incidents include the following:
- Implementation of a risk management programme developed across the organisation, supported by the board and senior managers;
- Appointment of a person or persons responsible for data and cyber compliance;
- Rolling out updated and enhanced training for all staff;
- Using reputable anti-virus software relevant to all business areas;
- Insisting that software updates are downloaded as soon as they appear;
- Ensuring all employees use strong/complex passwords;
- Automatic deletion/quarantining of suspicious emails; and
- Being ready to quickly and effectively respond to any reports of a breach.
With all the best will in the world, however, implementing a comprehensive plan only goes so far and cannot entirely eliminate the risks associated with a security breach. Companies also need a robust plan and expert resources at the ready should the worst happen, capable of detecting whether the source of the breach came from within the company and then how to deal with it.
A well-developed reactionary plan should ensure that sufficient steps are taken to immediately contain the breach and recover lost data, whilst at the same time providing for a risk assessment to be carried out to consider how serious the damage is or is likely to be.
Self-reporting – what is the right approach?
The ICO does currently encourage self-reporting of breaches (and also that affected data subjects are notified) in appropriate circumstances, however, as things stand, there is no strict legal obligation to do so (with some exceptions).
This is set to change, however, following the introduction of the new EU-wide Data Protection Regulation which is on the horizon (initial thinking was that reports should be made to supervisory authorities within 24 hours but this is now set to be “as soon as possible so that data subjects can take appropriate measures”). Any company’s breach notification policy will therefore need to be prepared or updated with this regulation in mind.
Also, be careful about rushing to self-report. Approaching the ICO will not always result in a lighter fine or the avoidance of a fine altogether. A premature notification to the ICO and/or to individuals whom a company believes may be affected can cause more harm than good. There is, more often than not, considerable merit in not “jumping the gun” in terms of notifications to regulators and/or individuals until the key facts have been established and the extent of the issue is clear. This is a critical phase and having the sounding board of pre-identified counsel who have been though it before can be invaluable.
Cyber breaches can have very real impact on a business' reputation, brand and bottom line. The increasing fines and risk of legal suits as a result also mean it is prudent to seek some expert input and do some key work in advance to prepare. When it comes to cyber security, nothing should be left to chance and companies should not be complacent. As the Kroll report highlights, ensuring suitable methods of protection and reactionary procedures catering for data leaks is also key.
Careful planning and preparations upfront will not only limit damage should a security breach occur but can also help avoid or minimise regulatory sanctions, be good for a company’s reputation and vastly improve consumer trust and confidence.
Rafi Azim-Khan, Head Data Privacy, Europe, Pillsbury Law and Steven Farmer, Counsel, Pillsbury Law
Photo credit: Tashatuvango/Shutterstock