The Increasing Need for Cyber Security
The recent “WannaCry” ransomware attack has placed a microscope over what is an increasingly pertinent issue for businesses – cyber security. The risk of cyber attacks and security breaches is something that businesses of all sizes need to be cognisant of and prepared for.
The National Risk Assessment 2016, published by the Department of the Taoiseach, recognises cyber security as being an issue of growing concern at a national, EU and international level. According to a survey entitled the “Global Information Security Survey, 2016”, almost three out of four Irish organisations surveyed had experienced a significant cyber security incident, compared to 57% globally. The survey revealed that 55% of Irish executives believe their organisation would be unlikely to detect a sophisticated attack on their business. In contrast, only 33% of executives around the globe said the same, a significant drop from 56% two years ago.
Similarly, the UK’s Department for Culture, Media and Sport reports that as many as 46% of UK companies suffered from a cyber attack or a breach of computer systems in 2016, a figure which is almost double that of the previous year. The UK Government has warned that a “sizeable proportion” of businesses do not have the necessary protections in place to prevent attacks that could result in the loss of customer data.
To combat the growing threat of cyber attacks organisations are investing more heavily in security budgets and turning to cyber insurance. 39% of Irish executives surveyed in the above survey stated that they have cyber insurance that meets their needs, while a further 20% of respondents claimed to be actively looking for appropriate cover.
Cyber Security and the GDPR
The EU General Data Protection Regulation (“GDPR”) is also expected to have a significant impact on the cyber landscape. The GDPR entered into force on 24 May 2016 and will apply from 25 May 2018 following a two year transition period.
The GDPR has been described as the most ground breaking piece of EU legislation in the digital era and a watershed for the cyber insurance market in Europe. The Irish Data Protection Commissioner’s annual report stresses that organisations must be prepared for 25 May 2018 when the GDPR comes into force. The report also emphasises the increase in the investigations and enforcement role of the Office of the Data Protection Commissioner (“ODPC”). The ODPC’s increased role and the potential for substantial financial penalties for non-compliance with the GDPR and the data subject claims are likely to significantly increase demand for cyber insurance cover.
The purpose of the GDPR is to provide a set of standardised data protection laws across all Member States. It aims to make businesses more accountable for data privacy compliance and offers citizens extra rights and more control over their personal data. It aims to make businesses offer citizens additional rights, confer on them greater control over their personal data and make businesses more accountable for data privacy compliance. To this end, the GDPR imposes the following key requirements:
• Territorial Scope: It applies to any organisation, whether established in the EU or not, processing the personal data of data subjects located in the EU, and controllers and processors established in the EU. This will catch non-EU businesses with websites directed at the EU, such as online advertisers and e-commerce businesses;
• Privacy by Design: The theme of privacy by design permeates the GDPR, with the objective being for businesses to design products and services with the privacy rights of individuals at the forefront. Businesses will be required to implement privacy from the outset of any project impacting on personal information;
• Accountability and Enhanced Individual Rights: Processors and controllers must keep detailed records
which must be made available for inspection by the relevant Supervisory Authority (i.e. the Data Protection Commissioner). A limited exemption applies with respect to SMEs. Under the GDPR individuals will enjoy enhanced data protection rights including:
– a right to be forgotten (de-listed);
– a right to restriction of data processing; and
– a right to data portability.
The practical implementation of these new rights is likely to impose significant operational and technical challenges on organisations;
• Mandatory Data Protection Officer (“DPO”): A DPO must be designated by all public bodies and by businesses where their core activities involve regular and systematic monitoring of data subjects on a large scale or the processing on a large scale of special categories of data. A limited exemption exists with respect to SMEs;
• Data Protection Impact Assessment (“DPIAs”): Projects involving “high risk” data processing, including profiling, large scale processing of special (i.e. sensitive) categories of personal data or large scale processing of public areas, will require mandatory DPIAs;
• Consent: Consent must be freely given, specific, informed and unambiguous and because of the higher threshold is less likely to be relied on as a lawful processing ground;
• Security Breach Reporting: Transparency has been a key focus of the GDPR and it seeks to address situations where entities under report data breaches. Under the GDPR the relevant Supervisory Authority must be notified within 72 hours of a security breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the risk is high, affected data subjects must also be notified without undue delay;
• Data Processors & Vendor Management: Under the GDPR data processors can be made liable for breaches which arise while acting outside the instructions of data controllers;
• Fines and Enforcement: The GDPR significantly increases the scope and nature of administrative fines for non-compliance, with the effect that failure to address data protection compliance obligations could prove very costly, in financial terms, for businesses. Organisations will be potentially subject to fines of up to:
• €10 million or 2% of total worldwide annual turnover (whichever is greater) for serious breaches; and
• €20 million or 4% of total worldwide annual turnover (whichever is greater) for very serious breaches.
• Litigation: The GDPR confers on data subjects the right to sue for non-material damage in addition to material damage arising from a breach of data privacy. This is a first in Ireland. Previously, individuals who have had their data stolen following security breaches have been slow to litigate because, in order to be successful, they were required to show financial loss arising from the breach. However, the case law in this area is evolving. In the recent case Vidal-Hall v Google , the UK Court of Appeal held that an individual could claim for distress without having to show pecuniary loss and awards of up to £250,000 have been made in such cases. It is anticipated that the GDPR will see this trend replicated across the EU.
How to Prepare for Cyber Breaches
Given the evolving cyber landscape, businesses need to take steps at board level to protect themselves against the threat of cyber attacks and mitigate the potential losses from them. Some of these key steps are:
• Plans, Processes and Procedures: Putting in place policies, procedures and plans to deal with any attack is of critical importance and will ensure minimal disruption to the business. This includes the creation of a cyber incident response plan, the establishment of key security controls, the development of a process for reporting cyber breaches and the formulation of guidelines to assist those involved in such processes;
• IT Assessments and Information Gathering: Businesses should conduct an IT risk assessment/DIPA to identify sensitive information which they retain in order to highlight any gaps that may exist in protection, both IT or otherwise. Constant collection of threat intelligence is important as it allows businesses to stay up to date with the latest ransomware attacks or newly discovered vulnerabilities;
• The Appointment of a Cyber Security Officer (“CSO”) and Creation of a Cyber-Incident Response Team (“CIRT”): Businesses should appoint a CSO who leads a CIRT. The CIRT should be made up of individuals across all business functions who understand the importance of following the approved cyber incident response plan to ensure a cohesive response to cyber incidents;
• Creating a Culture of Awareness: Mandatory training at regular intervals should be introduced to ensure that all employees are able to identify risks and take the appropriate responses. Company guidelines and policies on cyber security should be distributed to all employees;
• Review Insurance Policies: Businesses should review their existing insurance policies to ensure they provide adequate cover for losses arising from cyber security attacks.
Irish businesses are more focused than ever on managing cyber risk but this vigilance needs to be heightened given the increasing frequency and sophistication of cyber attacks. Appropriate internal measures supported by suitable IT security, insurance cover and advisory input are all crucial tools for organisations to ensure the integrity of their systems and to safeguard their obligations to clients.