An Inside Job?

Audrey Williams
Audrey Williams

Last month a disgruntled Citibank employee was sentenced to 21 months in a Texan prison after he issued commands which left 90% of all Citibank branch offices without network or phone access. In court, the employee admitted “They [were] firing me. I just beat them to it… the upper management need to see what they guys on the floor [are] capable of doing when they keep getting mistreated…

Businesses are alive to external cyber attacks but as this example highlights, problems may be lurking closer to home. ‘Insider threats’ may be one of the biggest and least reported risks facing businesses today. A malicious employee can wreak havoc on an operating system at the touch of a button. Insiders can expose confidential information, violate data protection rules, compromise trade secrets and severely damage reputations, not to mention the impact on the bottom line.

Whilst most businesses would prefer to keep such things under wraps to avoid the bad press the problem is very real. In January this year, GlaxoSmithKline was reported to have been ‘attacked’ when two of their own scientists allegedly hacked into the system and stole confidential cancer research to sell on. According to the 2015 ‘Vormetric Insider Threat Report’[1] 89% of global respondents felt their business was now more at risk from an insider attack with 34% saying they felt “very or extremely vulnerable”. Businesses must be on the front foot to combat both opportunistic and premeditated attacks.

The Aftermath

If a similar situation to Citibank occurred in the UK, the individual would be prosecuted under the Computer Misuse Act 1990. Where individuals are found guilty of “unauthorised access to computer material” (as in the Citibank example) or worse, accesses a computer illicitly with the intent to steal and sell on hacked data (as in the GlaxoSmithKline example), the individual risks a prison sentence of between 2 and 10 years depending on the severity of the charge. In addition, if an individual is found guilty of personal data theft under the Data Protection Act 1998, he will be liable to a fine of up to £500,000.

The consequences for the business are wide ranging as is the action that can be taken. The regulatory ramifications of data theft were highlighted in the recent case of Axon where the court stated that an employer may be vicariously liable for a data breach caused by a rogue employee. Moreover, if a company suffers an attack of this nature, they may be liable to their customers or suppliers for (1) breach of an express or implied term that personal data would be stored securely and/or (2) negligence, in failing to take reasonable security precautions storing customer information.

Data protection regulation is being taken increasingly seriously under the new General Data Protection Regulation (GDPR) which is set to come into force in May 2018. Fines will be increased to up to €20 million or 4% of global turnover, whichever is greater. The amount will depend on the type of company and the scale of the breach. Furthermore, whilst it is currently not obligatory to notify the ICO of a data breach, the GDPR makes it mandatory to notify the ICO within 72 hours.

As the examples of Citibank, GlaxoSmithKline and even the NSA in the case of Edward Snowdon reveal, even the most secure of organisations are vulnerable to such attacks. Businesses have the tools and more of a responsibility to tackle insider threats than outside attacks over which they have no control.

Tackling the Threat

Prevention is always better than cure. Access to highly sensitive information should be limited, documents encrypted and passwords and access rights made use of. Recognising and neutralising ‘at-risk’ insiders before they reach crisis point is key. Precautions may include background checks for new starters, robust IT and Data Protection policies and comprehensive risk management procedures.

A support team comprising senior management, HR, IT and legal advisors who can identify trigger events (redundancies or a change of ownership) and high risk individuals (employees under notice to leave) should be ready to take action without creating a culture of distrust. If an individual is under notice period of termination, IT should monitor the employee’s access to the server to ensure confidential information is not sent to a personal account always assuming there is the appropriate monitoring power in the IT Policy. Robust confidentiality clauses should be included in all employment contracts to clearly identify and protect confidential information. Remedies for breach of confidentially include an application to the high court for injunctive relief or a civil claim for breach of contract. Finally, training your workforce on their security responsibilities will get them ‘on side’ and hopefully empower them to form the business’s strongest line of defence against both outside and inside jobs.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com

Advertisements

ICO publishes Encryption Guidance

Nigel Miller
Nigel Miller

Users of WhatsApp will have noticed intriguing messages that WhatsApp is now securing all chat messages and calls with end-to-end encryption.

This coincides with new guidance issued by the UK Information Commissioner’s Office (ICO) on the use of encryption.

The ICO refers to the fact that many data security breaches are caused by data – or the devices on which the data was stored – being inadequately protected.

The ICO takes the view that where encryption software has not been used to protect the data, regulatory action may be taken.

The ICO has shown itself willing to impose hefty fines on organisations that lose data which were unprotected. For example,

  • the ICO imposed a fine of £150,000 on Greater Manchester Police after a USB stick containing data on police operations was stolen from an officer’s home. The stick contained personal data of over 1,000 people with links to serious organised crime. It was unencrypted and had no password protection;
  • Welcome Financial Services Limited was fined £150,000 after the loss of more than half a million customers’ details. Welcome was unable to locate two backup tapes which contained the names, addresses and telephone numbers of customers. Data on the backup tapes was not encrypted.

Aside from fines, organisations risk significant damage to their reputation as well as compensation claims if they do not store personal data securely.

The legal requirements

The Data Protection Act (DPA) is not prescriptive as to how data should be secured. It simply says, in Principle 7, that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

While encryption is not a legal requirement, in many cases encryption provides an appropriate safeguard because it is a widely available technology with a relatively low cost of implementation.  However, it is not the only option and should be considered alongside other measures.  The ICO recommends that this is done by carrying out a Privacy Impact Assessment and taking a risk-based approach.

The ICO refers to various typical scenarios where an organisation might consider encryption; for example, transferring data by disc, USB or email; data storage and back-ups, mobile devices, CCTV, call recordings, and drones.

Use of PINs

The guidance refers to the practice of setting a PIN or requiring users to provide a username/password in order to access a device. Whilst this can offer some assurance, the ICO says that it provides little protection to the underlying data which is commonly stored in plain text on the disk and should not be considered as equivalent to encryption.

Email

Email presents a particular everyday problem. A common type of personal data disclosure can occur when an email is sent to the wrong recipients. Data can also be at risk if an individual gains unauthorised access to the email server or online email account. However, encrypted email solutions can be complex to set up and there is still currently no universally-adopted method for sending email securely.

The ICO recommends that data controllers have a policy governing encrypted email, including guidelines that enable staff to understand when they should or should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or as an unencrypted attachment) should be encrypted.  Email can also send information by encrypted attachments e.g. by using a password which can be transferred to the recipient. The password must be sufficiently complex to prevent compromise and should be communicated over a separate channel, e.g. by disclosing the password over the telephone or by SMS.

Mobile devices

Another common problem is the loss or theft of a mobile device such as laptops, smartphones and tablets. By their very nature mobile devices have a high risk of loss or theft. Encryption of the data contained on the device can provide an assurance that, if this happens, the risk of unauthorised or unlawful access is significantly minimised.

Position under the GDPR

Looking ahead, the new EU General Data Protection Regulation, due to come into force in two years’ time, specifically refers to encryption as an appropriate technical and organisational measure.  Furthermore, the GDPR provides that organisations that suffer a data breach may not need to notify the data subjects where the data was encrypted. This could be very helpful in preventing the data breach getting into the news, thereby limiting reputational damage caused by the breach.

Next steps

The simple message from the ICO – encryption doesn’t have to be complicated or difficult and could help you avoid a fine. Don’t wait until after a data breach to start using it.

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com

A New European Cyber Security Strategy – Part II

Madeleine Croydon
Madeleine Croydon

Last week we introduced the new European Cyber-security strategy and the impetus behind the changes. In 2013 the European Commission announced it had proposed a new directive aiming at ensuring a high common level of network and information security across the EU. The directive aims to do so by improving the security of the internet and the private networks and information systems underpinning the functioning of our societies and economies.

On 7 December 2015, the European Parliament and the Luxembourg Presidency of the EU Council of Ministers announced that they had agreed the text of the directive. Although the text has not yet been published, the draft proposals provide us with a good idea as to the aims and function of the directive.

The Proposed Directive

One of the key provisions of the draft directive is a requirement for member states to adopt a national Network and Information System (“NIS”) strategy defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security. Additionally, each member state will designate a national competent authority on the security of network and information systems, to prevent, handle and respond to any network information security risks and incidents. A computer emergency response team should be established under the national competent authority’s supervision. The competent authorities will also monitor the application of the directive at national level and contribute to its consistent application throughout the European Union.

Each national competent authority and the European Commission are to form a co-operation network, to cooperate against risks and incidents affecting network and information systems. This will operate an early warning system for certain incidents, including those that could grow rapidly in scale, exceed national response capacity or affect more than one member state. The national competent authorities should also publish on a website information about early warning on incidents and co-ordinated responses.

Each member state will also ensure public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. A market operator is defined as:

(a) provider of information society services which enable the provision of other information society services, (a non-exhaustive list of is set out in Annex II of the directive);

(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health, (a non-exhaustive list of is set out in Annex II of the directive).

The measures should guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems. Public administrations and market operators will be required to notify to the competent authority incidents having a significant impact on the security of the core services they provide. The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest.

The competent authorities should report any incidents of a suspected serious criminal nature to law enforcement authorities. They will also work with personal data protection authorities when addressing incidents that have resulted in personal data breaches.

Whilst the proposed text does not set out any specified technical standards, member states are encouraged to use standards and specifications relevant to networks and information security.

Finally, member states must adopt rules on sanctions applicable to infringements of the national provisions adopted pursuant to the directive and must take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive.

A New European Cyber Security Strategy – Part I

Julianna Tolan
Julianna Tolan

The Threat

Globalisation and advances in on-line commerce have been key to the success of many European businesses. The growth of the internet has enabled the UK in particular to tap into markets that were previously inaccessible, as a global leader in e-commerce. But as well as bringing new opportunities, this reliance on cyberspace also presents new challenges and risks.

The prospect of cyber-attacks on businesses in the UK has never been more potent. Based on the 2015 Information Security Breaches Survey Report by the Department for Department for Business, Innovation and Skills, 90% of large corporations and 74% of small businesses reported a cyber-breach in 2015. It has been estimated that the cost for the worst cyber-security breach estimated between £1.5m to £3.14m for large businesses and £75k to £310k for smaller ones.

Alongside international terrorism, the National Security Strategy categorised cyber-attacks as a Tier One threat to our national security and in recent months George Osborne raised the prospect that terror groups may launch deadly cyber-attacks on Europe.

A New Way Forward

Historically, the approach to cyber security amongst member states has varied considerably, with a patchwork of different legislative regimes. Those states with insufficient security measures diminished the EU’s overall protection and exposed it to attack.

Prompted by mounting concerns about online security issues, in July 2012 the European Commission launched a public consultation on a new strategy for network and information security. The results of this consultation were that 57% of respondents had experienced security problems in the previous year that had seriously impacted upon their activities.

As a result of these findings, on 7 February 2013 the Commission published a proposed new directive on cyber security, which would harmonise the way member states addressed information and network security. Alongside this directive, the European Commission published a Joint Communication setting out an EU cyber security strategy.

It was hoped that these measures would close any existing loopholes in the existing legislative framework of EU countries. At the same time, it demonstrates the Commission’s commitment to the issue of cyber security, both for its citizens and for businesses within and outside of the EU.

On 7 December 2015, negotiators of the European Parliament, the Council and the Commission  agreed on the first EU-wide legislation on cybersecurity. The text will now be formally approved by the European Parliament and the Council. After that it will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.

In A New European Cyber Security Strategy – Part II, we will outline the key  provisions of this historic cyber-security legislation.

Beware the perils of allowing employees to “bring your own device” (“BYOD”)

Helen Farr
Helen Farr

It is no surprise that many employees now want to use their own personal mobile devices at work rather than their employers’ equipment.  There are clear benefits to employees and the business in which they work if a decision is taken to allow employees to do so.

It is an easy way to improve employee morale and job satisfaction by allowing increased flexibility and efficiency in working practices.  It also reduces business costs because employees invest in IT!

But allowing BYOD is not risk free.  Businesses need advice on how to implement the right policies and procedures which, if not correctly dealt with, are capable of having a serious impact on the business.

A key characteristic of BYOD is that personal and business data are stored on the same device. This raises potential risks under the Data Protection Act for the business as the controller of the personal data.  The employer cannot avoid its legal obligations under the Act because the personal data is not being stored on its systems.

What steps can business take to mitigate against these risks?

First, businesses should implement security measures to prevent unauthorized or unlawful access to the data.  As a minimum, users must use a strong password to protect business data.  Ideally, access to devices should be locked and data automatically deleted if an incorrect password is used too many times.  The business should ensure that its employees understand what business data can and cannot be stored on a personal device.

Second, the business must be mindful of the personal usage of the device. Therefore, employees’ own personal data, including details of their personal lives, could inadvertently end up on company systems, the result of backup policies or misfiling.

Third, protecting data in the event of loss or theft is a key consideration.  Data is only as secure as the security measures in place on that device.  Most personal devices are not encrypted and so easy for any person with physical access to the device to access the information stored on it. Many personal devices store copies of data in consumer cloud services such as Apple’s iCloud or Microsoft’s OneDrive (formerly SkyDrive) automatically.  Such data is then only as secure as the employee’s password for those services.

Fourth, require employees to submit their devices to security configuration by the IT team, or to use a product to enforce separation of business and personal data on the device. However, it is important to obtain employees’ consent before deploying these measures.

Fifth, ensure that if employees’ leave, the business is able to maintain confidentiality by ensuring that business information can be wiped from the employees’ systems quickly and effectively.  Registering with a locate and wipe facility is one way to do this.

How best to protect your business?

The most effective way to address these issues is to introduce a well drafted, clear and up to date BYOD policy that is effectively communicated to employees. Involve IT, HR and legal professionals when drafting any policy to ensure all relevant issues are covered. Employment contracts should also be reviewed.

If your business does not already have a policy dealing with these issues, a good New Year’s resolution is to take steps to put a policy in place.