Reflections following the UniCredit Data Breach

null

The Breach 

Last month, Italy's largest bank, UniCredit, confirmed that it had fallen foul of a security breach, impacting approximately 400,000 of its customers. Whilst the breach was apparently only discovered by the bank last month, the first breach took place as early as September and October 2016, with another more recent attack in June and July of this year.   

Whilst no unauthorised transactions are recorded as having taken place, nor have passwords been affected, the attackers may have accessed customers' personal details along with their International Bank Account Numbers (IBANs). In its press statement following the attack having been discovered, UniCredit explained that the breach had occurred due to unauthorised access through an unnamed third party provider.   

Real and immediate threat 

Unfortunately, the threat of a cyber-attack is becoming increasingly varied, common and difficult to predict as ever-creative hackers think of new ways to penetrate organisations' defences and often outdated IT systems. In the past year alone, we have seen a number of notable cyber-attacks, including both the Wannacry and Petya-related ransomware attacks, in addition to the UniCredit data breach. More recently, HBO (the US production company responsible for Game of Thrones) has reportedly received threats to release stolen, unaired episodes and cast members personal details if a Bitcoin ransom is not paid. 

In Gowling WLG's online research of 999 large SMEs in the UK, France and Germany, it was made evident that only 65% of UK businesses see ransomware as a high risk to their business, compared to 82% of German and 77% of French businesses.   

Companies and institutions can no longer afford to ignore the threat of cyber-attacks, for reputational and business continuity reasons, as well as from a legal perspective. Given the extension to the data protection regulations coming into force in May 2018, with the new General Data Protection Regulation (GDPR) legislation, the need to take action now is all the more acute.    

Supply chain risks 

The Department for Culture Media & Sport (DCMS) recently released the results of its Cyber security breaches survey 2017. One of the headlines from the survey of 1523 businesses was that 19 per cent were worried about their supplier's cyber security, but only 13% had required suppliers to adhere to specific cyber security standards or good practice. Whilst we do not know specific details, UniCredit mentions the involvement of a third party provider in the recent attack it suffered. This highlights that organisations should bear in mind cyber security risks from outside the business as well as within.

The results of the DCMS survey suggest that, generally speaking, much more can be done and all companies and institutions should review the arrangements they have in place.    

Wrongdoer unidentified   

One of the challenges for victims of hackers is that in the case of cybercrime, not uncommonly, it may not be immediately apparent who is responsible, as compared to frauds and other wrongdoing. It has been reported that UniCredit does not know who was behind the attacks, despite having undertaken, one would expect, an extensive investigation once the breaches were discovered. This serves as a reminder that the available options for seeking compensation in the event of a cyber-attack may be limited. 

Even if the wrongdoer can be identified they may well not have the assets to be worth pursuing. Claims may be possible against third party providers if any are caught up in the incident, as may be the case with the UniCredit breach, but that will depend on the terms of any relevant contracts. Losses may be covered by insurance policies, but as the scale and potential impact of cyber-attacks increase, whether adequate cover will be available at affordable premiums remains to be seen. Depending on the policy wording, some losses may not be covered by insurance. In any case, there are uncertainties around the recoverability of fines under insurance policies, for public policy reasons.    

Increased penalties under the GDPR 

Data controllers already risk potential claims from individuals in the event of a data breach and the prospect of regulatory action, in the UK under the Data Protection Act 1998.  

However, from May 2018 the GDPR will apply to processing of data carried out by organisations operating within the EU. It will also cover organisations outside the EU that offer goods or services to individuals in it. The Regulations will increase companies' responsibilities and requirements to protect personal data and oblige them to notify (to a relevant supervisory authority) within strict timescales, a breach likely to result in a risk to the rights and freedoms of individuals. Individuals may also need to be notified depending on the likely risks from the breach. It will also impose tough penalties for failing to comply – depending on the breach of the Regulations, fines of up to four per cent of global annual turnover for the previous financial year or €20 million, whichever is higher, can be imposed.      

Individuals who have suffered material and non-material damage as a result of an infringement of the Regulations will be entitled to compensation from the data controller or the data processor, and the controller and processor are jointly and severally liable. The ability to claim non-material damage means that individuals can pursue claims for distress, even where they have not suffered a financial loss. Controllers and processors who have infringed the Regulations, and also any processors that have breached the data controller's lawful instructions, will only escape liability if they can show that they are not in any way responsible for the event giving rise to the damage.    

Given the new laws and potentially much heftier sanctions in the event of future data breaches, companies and institutions should already be planning and taking steps to ensure compliance. Those steps should include putting in place a breach team and training them to respond to incidents. Incident response plans should also be revisited and evaluated in response to any incident that arises, and revised appropriately where necessary.   

Helen Davenport, Director at Gowling WLG 

Image Credit: Balefire / Shutterstock