You’ve been hacked. What are you liable for?
Hacking occurs every day and everyone is vulnerable. While hackers face prison time for hacking under the Computer Misuse Act, the businesses who are victim to attacks expose themselves to punishment of their own.
The laws that determine the duty on businesses to protect themselves and their customers is both vague and broad, making businesses question just how much protection is enough.
So if you think you’re safe from being hacked, or that you’ve taken all reasonable steps to ensure the protection your data, you might want to double check.
Penalising the victims of cyber attack
In October 2016, TalkTalk Telecom Group PLC was issued with the largest fine ever imposed by the Information Commissioner’s Office (ICO), £400,000, for being the victims of a cyber attack. In 2009, HSBC was fined £3m by the FSA and even that could be a drop in the bucket. Under GDPR regulations, you could be fined the higher of €10m or 2% of your business’s global annual turnover for being the victim of cyber crime.
Data breaches are appearing in the news more and more. In the summer of 2015, hackers stole and publicised data from 37 million users from the affair website, Ashley Madison. The total cost of this breach, including fines, fixes and loss of revenue cost the parent company, Avid Life, £1.2 billion in the UK alone.
Data breaches from hackers cost businesses more than just the loss of data and reputation. So why are so many businesses fined for being victims of breaches?
The vague test of appropriateness
The Data Protection Directive and the UK Data Protection Act both require a data controller (someone who has access and responsibility for the protection of data) to “implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access”.
So, how much data protection is appropriate?
The ICO has no minimum threshold for the protection of data. Based on the historical evidence of fines, however, we can infer that businesses must at least encrypt business laptops and mobile devices. Common sense seems to be the guiding principle of providing appropriate data protection, but we know that basic encryption of devices simply isn’t enough in many cases to deter hackers or the ICO.
In the case of TalkTalk, the ICO determined that “in spite of its expertise and resources, when it comes to the basic principle of cyber-security, TalkTalk was found wanting.” This statement demonstrates that your level of data security needs to be scaled along with your resources. Data security is considered very much an active IT issue, rather than a passive box-ticking exercise.
Personal data, whether yours or your customers’, has huge value. This can never be understated.
Why is the law so vague?
The terminology of the Data Protection Directive and Data Protection Acts is very deliberate. The digital world moves at such a pace that it can be almost impossible to keep the law updated. For a quick example, look at copyright laws and how they fail to encompass the implications of YouTube. A vague and broad directive allows for unforeseen changes in technology to be retroactively included without the need to rewrite a law and push it through the legislature. A law that is certain in its principles, however vague is better than no law at all.
Determine the risk
When considering your data protection strategy, attempt to quantify how much it would cost your business if your customers’ data or your price lists were exposed. TalkTalk lost £60 million and 101,000 customers as a result of their hack. So consider, does the investment in IT security outweigh the cost of a data breach? The answer has to be “Yes”. Despite the temptation to do the bare minimum in an attempt to show “appropriate” levels of defence because hey, you’ll be fined anyway, right? Your reputation and very business lifelines demand cyber security that does more.
LeadingEdge provide full service IT solutions for businesses of all sizes. Before rolling out a cyber security solution, we take the time to understand the lifeblood of your business and how to best protect the things that are important to you.
If your business is in need of an IT security solution, get in touch with us today.