Skip to main content

EU disclosure rulings will bite back in 2016

After the seasonal break in the New Year, companies will be returning to a changed and alien landscape as far as data protection regulations are concerned. Failure to overhaul their cyber security systems and protocols accordingly will mean they risk paying a fine of up to 4 per cent of their annual turnover.

The European Union has this week approved radical new updates to its data protection laws which are to be formally adopted by the European Parliament and Council at the start of 2016. The new laws, which will be enforced on all European Union members including the UK, will become applicable within two years. As the EU is a supranational authority, the new rulings will apply automatically not only to all UK companies but also to those from regions such as the US who do business within the EU.

The EU has ruled that companies will have only 72 hours to report serious data breaches. Companies that handle significant volumes of data will be required to employ a data protection officer. Failure to comply will be punished with a fine based on around 4 per cent of turnover.

Companies must regularly test IT defences

According to PwC, the scale and breadth of the new rulings will deliver unprecedented challenges for business and most companies will be ‘shocked’ at the scale of work they will have to accomplish before the new laws take effect in two years’ time.

If they are to avoid potentially Draconian fines and also potential lawsuits from customers and clients who may have had their confidential details hacked, companies must now regularly test their IT defences with penetration tests by third parties while also using embedded sources on the Dark Web to ascertain when a breach has occurred as many companies can remain unaware of a major cyber theft for weeks or even months. Companies will have to struggle hard in 2016 if they are to be able to comply with new laws by being in a position to identify serious cyber breaches as they occur, report them in 72 hours and take immediate steps to limit the damage and prevent further breaches.

The new rulings will change the entire cyber security landscape. Until now, most organisations, particularly those in the financial sector, have chosen to keep quiet about cyber breaches. They have done this to avoid the damage to investor and customer confidence that they feared might result from revealing the true extent of their losses.

This strategy has had a number of negative consequences. One is that, by choosing not to report serious cyber losses, they have helped create an environment where organised criminal groups (OCGs) have been able to prosper. Without a concerted effort on the part of companies and the authorities, they have been allowed to flourish and develop their skills to an extent where some industry sources now estimate global losses to cyber-crime to be somewhere between one and two trillion dollars.

While the new rulings are in no way ‘a magic bullet’ for the growing global problem of cyber-crime, they do herald a new era of transparency where the true scale of the problem can be properly quantified. As the true extent of the impact cyber-crime is having on the economy becomes apparent, companies will have little option to make a concerted effort to safeguard their organisations against further attack.

All sectors must now deploy best-practice cyber security

Although the cyber criminals are currently years ahead of most organisations in terms of their cyber skills, transparency and information sharing will enable organisations across all sectors to finally begin to establish best practice security technology and protocols.

These will be aimed not only at preventing breaches from occurring whenever possible but also limiting the damage when a breach does occur. As recent hacks such as that which occurred at TalkTalk do occur, it is essential that the company concerned informs its customers and clients as soon that their data may have been compromised. To allow them to discover about the breach after they have been subsequently hacked or conned as a result of the breach is to risk far greater reputational damage than would have occurred in the first place.

Going into 2016, all types of organisations will have to make cyber security a priority. In addition to securing their IT systems, they must educate staff about their role in safeguarding information. The increasing use of social engineering, where criminals carry out extensive online research on companies and individuals, enables OCGs to conduct “spear phishing” exercises via spoof email or phone calls designed to elicit confidential information or arrange money transfers to a criminal account. Organisations of all kinds will also have to engage damage limitation protocols enabling them to react quickly and effectively to cyber breaches as and when they occur.

Failure to do this could not only eventually result not only in paying a fine of to 4 per cent on annual turnover but also in having to face from dissatisfied customers and clients whose data may have been compromised as a result of what can be shown to be negligent regarding their cyber security.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.

Image source: Shutterstock/Maksim Kabakou