Out-Law Analysis | 13 Feb 2014 | 3:23 pm | 7 min. read
The increase in the volume of data that businesses now store; the growing use of mobile devices, and the trend of users connecting their own devices to corporate networks are factors making data breaches more likely. And proposed changes to EU law mean that organisations will no longer be able to keep breaches a secret.
Government research has found that 87% of all UK SMEs and 93% of firms with more than 250 staff had experienced at least one security breach in 2012. This means that nobody can escape data breaches. What will increasingly matter is how well prepared you are and how you deal with them.
Many organisations still try to hide the fact that breaches exist and manage them behind closed doors, but changes to EU law mean that this option is about to be removed. EU governmental bodies are wrangling over a General Data Protection Regulation that is likely to force many more organisations to report publicly on many more data breaches.
This means that keeping a breach a secret will no longer be an option, and it means that organisations will have to be clearer than ever about how they deal with them. Organisations might not welcome the development, but evidence shows that those with detailed data breach and cyber security plans are the ones that deal best with the fallout from a breach.
Those plans must become a priority for the boards of organisations of any significant size. Those at the very top of organisations need to recognise the real risks facing their businesses and take steps now to minimise those risks by preparing more fully for breaches.
What causes the risk?
Cyber security and data breaches happen when people get access to data and systems that they shouldn't. It might be customer data; credit card details; medical information or even just a list of email addresses – any large amount of data in the wrong hands can cause significant damage.
This can happen when people hack into systems, but it is more likely to be opportunistic or due to negligent employees. A lost or stolen laptop, phone or memory stick or a carelessly unsecured IT network can lead to significant breaches. System failures, third party faults, hacking attacks, insider or rival theft can also result in personal data, confidential or commercially sensitive information, such as businesses' trade secrets, being compromised.
The fall out can be huge. Reports by companies such as Huawei, Verizon and Marsh, as well as the Bank of England have warned about the scale and potential cost of data breaches, whilst a global security report by Trustwave even identified the industries most susceptible to being compromised – the retail sector was especially attractive to hackers due to the ability to make money from selling stolen payment card data, it said.
According to Symantec, businesses are experiencing increasing costs as a result of data breaches. In 2011 the average cost of data breaches to an organisation was £1.75 million. Last year that figure rose 15% to £2.04m.
So costs can be significant, and they may include regulatory penalties. A recent case ruled on by the Information Commissioner's Office (ICO) highlighted that businesses with some security measures in place may still fall foul of UK data protection rules. The ICO fined Jala Transport Limited £5,000 when a hard drive containing customer data was stolen. The fine was smaller than it otherwise would have been because the company self-reported the breach.
The fact that access to the hard drive was password-protected was not enough for the company to be said to have met its obligations with regards data security. The company should have used further encryption methods to secure the information stored, the ICO said. The Sony case – where the company was fined £250,000 after its PlayStation Network was hacked – showed, though, that organisations of different sizes and resources will be held to different security standards.
An emerging source of risk is the prospect of 'collective redress', where a collection of people bring group proceedings against an organisation. Proposed changes to UK consumer protection legislation would, if introduced, enable a larger range of consumer groups to bring claims on behalf of individuals.
The draft General Data Protection Regulation would, if introduced, also provide a right of redress for individuals against businesses where they believe their privacy rights have been impinged on.
If security or data breaches were the subject of collective redress actions then this could increase the cost and complexity of the risk arising from those breaches; moving another step closer to US style class actions.
Why doesn't every organisation have a plan?
Despite these repeated warnings many executives still don't take cyber and data breach risks seriously enough. They underestimate how frequently such incidents arise, typically assuming that it will not happen to their business.
When incidents do happen it is common for them to sweep them under the carpet to preserve the organisation's reputation and consumers' trust.
They are entitled not to disclose breaches in a lot of cases. While UK data protection law says that organisations must take "appropriate technical and organisational measures" to prevent the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data", it does not force them to go public when there is a breach.
This is likely to change soon, though. EU law has already placed an obligation to disclose data breaches on telecoms companies, and a new Network and Information Security Directive would require public administrators and 'market operators', such as banks and energy companies, to notify designated regulators of "significant" cyber security incidents that they experience and in some cases to report them to the public.
The General Data Protection Regulation in its current draft would create an obligation for all businesses to report breaches to regulators and affected consumers in certain circumstances.
Regulators could levy fines of up to the higher of €100 million or 5% of businesses' annual global turnover for non-compliance.
Making a plan
Businesses may feel frustrated at the new laws proposed, but if they have the effect of forcing organisations to plan for information disasters, then that is a positive effect. Symantec said that businesses can save on costs associated with such incidents if they establish and implement a "formal incident response plan". Having a plan for how to deal with incidents is a major factor in reducing risk and lowering the eventual cost of the breach.
A good starting point would be to implement the Government-backed 10 steps to cyber security (20-page / 3.12MB PDF). The steps include developing a "mobile working policy" for staff, ensuring devices contain security features that "protect data both in transit & at rest", engage in cyber attack testing and limiting who can access key information.
Businesses should also monitor for the finalising of the new organisational standard on cyber security that the Government is creating. It has said that none of the ISO27000-series of standards quite fit its requirements, but it plans to base the new standard on that suite of existing guidelines.
Businesses are, generally, not protecting themselves properly against their exposure to costs associated with a data breach. They need a comprehensive plan to turn to should the worst happen, but this is something many companies lack. The plan should including having access to a network of experts that can help address the variety of issues that arise following a data breach – from communicating with consumers, running forensic IT examinations, and providing credit monitoring services.
Should the worst happen, businesses should be prepared to consider self-reporting incidents to the ICO. Self-reporting does not guarantee that businesses will avoid fines over data breaches – something an Upper Information Rights Tribunal recently confirmed – but the ICO is on record as saying that it is minded to treat businesses that self-report data breaches more favourably than those that don't when determining what level of penalty to levy, or even whether to impose a fine at all.
In the insurance market, a growing range of products are being made available to businesses to insure themselves against data and security risk. Products may offer insurance against data breach costs, damage done by hackers, and other cyber liabilities, such as the cost of regulator penalties, where insurable, and litigation initiated by consumers affected.
The market for cyber insurance products has been more active in the US than in Europe. There, regulators such as the Securities and Exchange Commission require disclosure of some incidents, whilst adoption of the policies was also triggered by the publicity generated by the data breach experienced by discount clothes retailer TJX, where credit card information was stolen from more than 45 million customers.
However, the price of those policies, and difficulties in interpreting what precisely they provide cover for, mean that many organisations do not currently purchase them. They will not fit every organisation's needs, but many insurers offering data breach and cyber liability products also provide policyholders with access to the network of experts they would otherwise need to individually seek out and contract with for help in the management of incidents.
Board-level engagement and sponsorship of cyber security initiatives is critical, as is securing a budget for it.
To achieve this, data protection officers, privacy counsels, CIOs, CTOs or others that may be responsible for ensuring regulatory compliance and systems security should consider producing a two-page document ready to present to the board summarising the risks their business faces, the current plans and processes in place to deal with them and an outline about what future procedures and processes are required to address the threats and mitigate the risk.
Businesses cannot afford to delay or be complacent, particularly as forthcoming changes in regulation threaten to expose those that are unprepared and the age of big data, cloud computing and the internet of things drives consumer-focused response by industry.
Ian Birdsey is a technology, media and telecoms law expert at Pinsent Masons, the law firm behind Out-Law.com