Cyber Attacks: Why Cyber Security is more important now than ever

Amanda LeiuCyber security continues to be headline-grabbing news, particularly in light of the global “ransomware” cyber attack which recently hit the NHS, Telefónica and FedEx. The ransomware reportedly encrypted data on over 300,000 computers in some 150 countries, with hackers threatening to delete data unless a ransom was paid. This latest attack is reported to be the biggest online extortion scheme ever.

The Information Commissioner’s Office (ICO) issued a statement in response to the latest cyber attack to reiterate that “all organisations are required under the Data Protection Act to keep people’s personal data safe and secure.

Whilst concerns about cyber related risks and data security are not new, the issue is becoming ever more pressing for businesses, not least because of the introduction of the General Data Protection Regulations (GDPR) in May 2018.

The cyber threat

The recent global ransomware attack which hit 47 NHS trusts is not an isolated case. The UK government’s 2017 Cyber Security Breaches Survey found that:

  • over two thirds of large firms and SMEs detected a cyber security breach or attack in the last 12 months;
  • in the last year, the average business identified 998 breaches; and
  • for a large firm, the average cost to the business as a result of a breach is £19,600.[1]

These statistics highlight the fact that cyber attacks are a growing area of risk for businesses. Generally, more businesses are migrating into digital form and on globally interconnected technology platforms. As this trend continues, businesses’ exposure to a cyber attack inevitably increases.

The threat is no longer limited to large organisations. Smaller organisations have not historically been the target of cybercrime but this position has changed in recent years. SMEs are now being targeted by cyber criminals and with increasing frequency.

The consequences  

The consequences of a cyber attack can be multiple and far-reaching: disrupted business systems, regulatory fines, compensation claims, reputational damage and loss of consumer trust.

The legal implications in relation to cyber and data security arise primarily from the Data Protection Act 1998 (DPA). The DPA requires organisations to take appropriate technical and organisational security measures to prevent unauthorised or unlawful processing or accidental loss of or destruction or damage to personal data. Under the DPA, the ICO can impose fines of up to £500,000 for breach of this obligation. This is set to dramatically escalate under the GDPR to an upper limit of €20 million or 4% or annual global turnover – whichever is greater.

If appropriate measures have not been taken to keep peoples’ personal data secure and a cyber security breach occurs, organisations risk leaving themselves open to a fine or other enforcement action. This was the case with TalkTalk as discussed in our earlier article “The Only Way is Up – Fining Powers on the Increase for Data Protection Breaches” (21 March 2017). The ICO issued more than £1,000,000 in fines last year for breaches of the DPA. Moreover, personal data owners may seek compensation from organisations for such breaches.

The challenge of compliance with data protection laws is set to potentially increase and become more onerous under the GDPR. The GDPR will supersede the DPA and introduces new and extended obligations for organisations.

Businesses will be legally required to report data breaches that pose a risk to individuals to ICO within 72 hours and in some cases to the individuals affected. Data processors will also have direct obligations in relation to data security for the first time. Another key change is around accountability – the GDPR creates an onus on companies to demonstrate compliance with the data protection principles and put in place comprehensive governance measures.

Mitigating the risks – what should you be doing?

In light of the risks highlighted, it is more essential than ever that organisations protect themselves (and therefore, by extension their consumers), from increasingly sophisticated cyber attacks.

To minimise the risk of a cyber attack and ensure regulatory compliance with the current DPA and the incoming GDPR, businesses should be looking to take the following steps:

  • generate awareness within your organisation;
  • set up a project team with full board engagement;
  • carry out a data inventory and mapping exercise to understand what data you have, what you use it for, where it is held and what third parties are involved in processing data;
  • carry out a gap analysis to work out what compliance steps are needed;
  • review all relevant policies, procedures and contracts;
  • undertake a data privacy impact assessment, if needed;
  • prioritise and scope out a cyber security incident response plan;
  • implement and rehearse the cyber security incident response plan; and
  • train staff, monitor processes, audit and adjust.

[1]https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609186/Cyber_Security_Breaches_Survey_2017_main_report_PUBLIC.pdf (pg. 8)

 

Amanda Leiu is a trainee solicitor in the Commerce & Technology team at Fox Williams LLP.

The Only Way Is Up – Fining Powers on the Increase for Data Protection Breaches

Julianna Tolan
Julianna Tolan

Last year saw the Information Commissioner’s Office impose record fines for data protection breaches, totalling £2,155,500.

TalkTalk was on the receiving end of the greatest financial penalty in ICO history for a highly publicised cyber-attack that claimed more than 150,000 of its customers’ personal details. The regulator considered these security failings sufficiently grave to issue the telecoms company with a £400,000 fine, close to its maximum fining powers of £500,000.

Other recipients of financial penalties from the ICO in 2016 included EE Limited, Hampshire County Council and David Lammy MP. In the latter case, Mr Lammy was accused of instigating 35,629 calls over two days, playing a recorded message that urged people to back his campaign to be named the Labour party candidate for London Mayor. This conduct resulted in a £5,000 fine for nuisance calls.

Of course, the ICO has a host of other enforcement tools at its disposal, such as issuing undertakings, serving enforcement notices and in the most serious cases, commencing a criminal prosecution against individuals or companies who contravene the Data Protection Act.

But for bottom-line conscious business, monetary penalties have historically been an effective means of compelling compliance with good business practice.

That ought to be the case now more than ever, as the EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, which will radically increase the maximum fines that can be imposed on UK businesses from £500,000 to an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

These previously unprecedented fining powers mean that for many companies, the outcome of a serious data protection breach could conceivably result in insolvency or even closure of the business.

Given the profound detriment that data losses have been shown to cause to consumers over the past 12 months, it is perhaps timely that the ICO is finally catching up with other UK regulators. Enforcement authorities in the fields of health and safety, competition and environmental protection have long possessed the power to impose exorbitant fines capable of closing errant businesses down.

With the GDPR on the horizon, businesses should now seize the opportunity to monitor and review their compliance with data protection laws, including the effectiveness of internal policies and procedures. After all, the consequences of failing to do so could be costly.

Julianna Tolan is an Employed Barrister in the Dispute Resolution team at Fox Williams LLP acting for commercial and financial services clients in respect of contentious and non-contentious regulatory issues. Julianna can be contacted at jtolan@foxwilliams.com

ICO reports its own data security breaches

Josey BrightAn article in the Evening Standard last week revealed that the ICO has investigated itself in a number of complaints made against it since 2013, at least 11 of which have been upheld.

Seven of the complaints resulted in the ICO being ordered to take action to prevent further breaches, two with compliance advice being given, and two with concerns being raised.

There were also at least three occasions where the ICO’s own staff reported themselves to the Information Commissioner for accidental breaches of individuals’ personal data, although the Information Commissioner ruled that there was “no detriment” to anyone arising from the self-reported breaches.

The ICO’s internal investigations were revealed following a Freedom of Information request made by Liberal Democrat peer, Lord Paddick. In a letter to Lord Paddick’s office, the ICO’s lead information access officer, Ian Goddard, said: “We oversee the Data Protection Act 1998 but we also have to comply with its requirements. This means that on occasion we will have to self-report to ourselves in our capacity as a regulator. It also means that individuals can raise complaints about us, to us, in our capacity as a regulator.”

The article serves as a reminder that, from 25 May 2018, when the General Data Protection Regulation (“GDPR”) comes into force, it will be mandatory to report data breaches. Currently, under the Data Protection Act, it is not compulsory for data controllers (excluding telco’s) to report breaches of data security to the ICO although ICO non-binding guidance recommends that serious breaches should be brought to its attention.

Under the GDPR, organisations will be required to notify the ICO of a data breach without undue delay and where feasible, within 72 hours. In addition, data processors will be required to notify data controllers of a data breach. Failure to report a breach could result in a fine, as well as a fine for the data breach itself. With the maximum fines under the GDPR raised to the higher of 4% of annual worldwide turnover or 20 million euros, organisations should ensure that they have the right procedures in place to detect, report and investigate a personal data breach.

Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com

ICO: “Cyber security is not an IT issue, it is a boardroom issue”

Josey BrightTalk Talk

On 5 October 2016, Talk Talk was issued with a £400,000 fine – the highest fine yet from the Information Commissioner’s Office (“ICO”) – for breach of its security obligations under the Data Protection Act 1998 (“DPA”).

Between 15 and 21 October 2015 a hacker took advantage of technical weaknesses in Talk Talk’s systems and succeeded in accessing the personal data of 156,959 customers. In 15,656 cases, the attacker also had access to bank details and sort codes.

The Information Commissioner, Elizabeth Denham, said that the “fine acts as a warning that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers.”

In addition to the fine, the costs resulting from Talk Talk’s data security breach amounted to £60 million.

Data Security Principle under the DPA

The seventh data protection principle in the DPA requires that personal information must be kept secure. It says that: “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The DPA is not prescriptive about what measure must be taken and there is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, and businesses should adopt a risk-based approach to deciding what level of security they need.

Preventative measures – lessons learnt from the ICO’s Talk Talk investigation

The ICO found inadequacies in Talk Talk’s security measures were the result of “serious oversight” rather than an deliberate intent to ignore or bypass the provisions of the DPA. The cyber-attack could have been prevented if the company had taken basic technical and security measures. In particular, the ICO identified the following issues:

  • Legacy Pages: the data was part of an underlying customer database that Talk Talk inherited when it acquired Tiscali in 2009. These pages were vulnerable and Talk Talk had failed to identify and remove them or make them secure.
  • Outdated Software: Talk Talk was not aware the database software was outdated. It did not know that the software had a bug or that a remedy for the bug had been publicised in 2012 and was easily available.
  • Defences: The hacker used a common technique called SQL injection to which defences exist. Talk Talk ought to have known that there was a risk to the data from this technique and ought to have implemented sufficient defences.
  • Lack of Monitoring: Talk Talk did not proactively monitor its systems to discover vulnerabilities.

The investigation found Talk Talk was unaware of two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 and consequently Talk Talk’s contravention of the seventh data protection principle was ongoing until it took remedial action on 21 October 2015.

The ICO considered the breach serious due to the number of data subjects, the nature of personal data and the potential consequences from the breach – the data could be used for fraudulent purposes.

Other notable cyber attacks

The Talk Talk breach is one of several security breaches to have come to light  in recent months. The size and scale of these security breaches illustrates the Commissioner’s statement that companies urgently need to take stock of their cyber security arrangements.

  • Myspace: In June this year, Myspace discovered 360 million passwords and email addresses had been stolen in a hack that occurred in 2013 and these details were discovered listed on the dark web.
  •  Yahoo: In August, Yahoo discovered that at least 500 million of its accounts had been hacked in 2014. Yahoo only discovered the 2014 breach because it was investigating reports of a separate breach. The theft is the world’s biggest cyber breach so far. The data stolen included names, email addresses, telephone numbers, dates of birth and encrypted passwords.
  •  Tesco Bank: Early this month, Tesco Bank suffered a serious cyber-attack which affected 40,000 customer accounts. Money was stolen from 9,000 current accounts, forcing Tesco Bank to suspend all online transactions. Its security arrangements are currently being investigated by a number of regulatory bodies including the National Crime Agency and the ICO. However, a number of cyber security experts have indicated that its software was vulnerable and was being targeted by cyber criminals for months. Notwithstanding any fines Tesco Bank may be required to pay, it has already spent £2.5 million compensating customers for their losses. 

Practical steps for securing data

By being vigilant and proactive, companies ought to be able prevent significant security breaches and the regulatory fines and compensation payments incurred, not to mention the stigma that such breaches attract.

The following practical steps should be considered to enhance data security:

  • Updates Policy: it is good practice to have an updates policy for software which is used to process personal data and to ensure all software components are included in the policy (e.g. operating systems, applications, libraries and development frameworks);
  • Testing: regularly test and monitor online systems and software for common threats such as SQL injections;
  • Unnecessary Services: completely decommission any service that is not necessary and periodically review remaining services; and
  • Encryption: use encryption schemes to secure the communication of data across the internet.

Higher fines under the General Data Protection Regulation (“GDPR”)

The maximum fine the ICO is currently able to award under the DPA is £500,000. The new General Data Protection Regulation (GDPR), which will have effect from May 2018, offers the ICO the potential to fine up to 20,000,000 EUR or up to 4% of annual worldwide turnover, whichever is the higher.

That’s 20m reasons for companies to review their data security policies and practices.


Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com

An Inside Job?

Audrey Williams
Audrey Williams

Last month a disgruntled Citibank employee was sentenced to 21 months in a Texan prison after he issued commands which left 90% of all Citibank branch offices without network or phone access. In court, the employee admitted “They [were] firing me. I just beat them to it… the upper management need to see what they guys on the floor [are] capable of doing when they keep getting mistreated…

Businesses are alive to external cyber attacks but as this example highlights, problems may be lurking closer to home. ‘Insider threats’ may be one of the biggest and least reported risks facing businesses today. A malicious employee can wreak havoc on an operating system at the touch of a button. Insiders can expose confidential information, violate data protection rules, compromise trade secrets and severely damage reputations, not to mention the impact on the bottom line.

Whilst most businesses would prefer to keep such things under wraps to avoid the bad press the problem is very real. In January this year, GlaxoSmithKline was reported to have been ‘attacked’ when two of their own scientists allegedly hacked into the system and stole confidential cancer research to sell on. According to the 2015 ‘Vormetric Insider Threat Report’[1] 89% of global respondents felt their business was now more at risk from an insider attack with 34% saying they felt “very or extremely vulnerable”. Businesses must be on the front foot to combat both opportunistic and premeditated attacks.

The Aftermath

If a similar situation to Citibank occurred in the UK, the individual would be prosecuted under the Computer Misuse Act 1990. Where individuals are found guilty of “unauthorised access to computer material” (as in the Citibank example) or worse, accesses a computer illicitly with the intent to steal and sell on hacked data (as in the GlaxoSmithKline example), the individual risks a prison sentence of between 2 and 10 years depending on the severity of the charge. In addition, if an individual is found guilty of personal data theft under the Data Protection Act 1998, he will be liable to a fine of up to £500,000.

The consequences for the business are wide ranging as is the action that can be taken. The regulatory ramifications of data theft were highlighted in the recent case of Axon where the court stated that an employer may be vicariously liable for a data breach caused by a rogue employee. Moreover, if a company suffers an attack of this nature, they may be liable to their customers or suppliers for (1) breach of an express or implied term that personal data would be stored securely and/or (2) negligence, in failing to take reasonable security precautions storing customer information.

Data protection regulation is being taken increasingly seriously under the new General Data Protection Regulation (GDPR) which is set to come into force in May 2018. Fines will be increased to up to €20 million or 4% of global turnover, whichever is greater. The amount will depend on the type of company and the scale of the breach. Furthermore, whilst it is currently not obligatory to notify the ICO of a data breach, the GDPR makes it mandatory to notify the ICO within 72 hours.

As the examples of Citibank, GlaxoSmithKline and even the NSA in the case of Edward Snowdon reveal, even the most secure of organisations are vulnerable to such attacks. Businesses have the tools and more of a responsibility to tackle insider threats than outside attacks over which they have no control.

Tackling the Threat

Prevention is always better than cure. Access to highly sensitive information should be limited, documents encrypted and passwords and access rights made use of. Recognising and neutralising ‘at-risk’ insiders before they reach crisis point is key. Precautions may include background checks for new starters, robust IT and Data Protection policies and comprehensive risk management procedures.

A support team comprising senior management, HR, IT and legal advisors who can identify trigger events (redundancies or a change of ownership) and high risk individuals (employees under notice to leave) should be ready to take action without creating a culture of distrust. If an individual is under notice period of termination, IT should monitor the employee’s access to the server to ensure confidential information is not sent to a personal account always assuming there is the appropriate monitoring power in the IT Policy. Robust confidentiality clauses should be included in all employment contracts to clearly identify and protect confidential information. Remedies for breach of confidentially include an application to the high court for injunctive relief or a civil claim for breach of contract. Finally, training your workforce on their security responsibilities will get them ‘on side’ and hopefully empower them to form the business’s strongest line of defence against both outside and inside jobs.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com