³ÉÈËÓ°Òô

This month, we have seen further reported incidents of the use of malware and cyber security to gain personal data from consumers.

The Banks’ Integrated Reporting Dictionary (BIRD) website, owned by the European Central Bank (ECB), was hacked early this August, whereby the names, email addresses and job titles of the 481 subscribers to the bank’s e-newsletter may have been stolen.

Since 2018, the Information Commissioner’s Office (ICO) has made a total of 67 enforcements in an attempt to reinforce the confines of GDPR compliance and UK privacy laws.

Cyber security: On the rise

In Banking, new data released from banking trade body, UK Finance, revealed that incidents of online payment scams reached nearly 85,000 in 2018, with total losses of £354.3m. In Science, more recently, we saw the incident of Eurofins Scientific, the UK’s biggest forensic services provider, being targeted by a highly sophisticated ransomware virus in June. British police suspended work at the company in order to deal with investigation, creating a backlog of 20,000 forensic samples as a result.

The amount of sensitive data handled by large companies makes them a prime target of cyber attacks. Poor data management could lead to firms becoming vulnerable to threats such as bank transfer fraud, phishing scams, ransomware or data breaches, which allow for additional compliance risks. Furthermore, data collected through fraudulent means can be used many years after the event has taken place, and can be used to facilitate deception scams against companies and consumers, making them highly convincing and far more difficult to guard against.

As digital transformation continues to proliferate, companies would be wise to look to key technology providers in the industry, in helping them navigate these potentially challenging new territories.

Managing the data breach risk

Our current commercial climate is becoming increasingly data-driven. With more and more companies offering access to data and services online, and a high upward trend in mobile users, which is currently forecasted to reach 5.9 billion by 2025, the equivalent to 71% of the world’s population[1]. The more that corporate companies are expected to deliver their services digitally, and handle sensitive data frequently, in large volumes, the more they are at risk of advanced data breaches, and therefore the considerable resulting fines:

Fines applied to , , , and , plus proposed penalties for and , for GDPR compliance violations. Revenue figures calculated using publicly-available investor reports and estimates from . Maximum possible fine is defined as either €20m (£17.6m) or 4% of annual revenue, depending on which is greater, as stipulated in GDPR.

Source: ExchangeWire

Factors affects the breach reporting process

Every breach is unique, therefore, knowing what to do in response to every breach that occurs can be challenging. Invariably, this means that not all potential or actual breaches can be reported in the same way, and defining the right process to also becomes more challenging

Having clarity at a business level of the risk severity and action points is very important. A lack of this results in companies being slower to make decisions, which impacts on the ability to meet deadlines and action points

Every step of the breach management process must be documented  for the regulator – this audit trail is essential to minimise a fine. If there is no consistent process for this, or if it is manual, mistakes are more likely, and the regulator will likely consider this when assessing the fine

Communication during the process, whether it be to the regulators, supply chain partners, employees, media outlets, the Board, breach victims, stakeholders, and so on, will all be assessed when reviewing any fine. Clear, succinct templates are needed to ensure that no information is missed out

With no process or tools in place, an organisation’s ability to plan and focus resources against future incidents becomes impaired.

Introducing the Cordery Breach Navigator – effectively protect your organisation

Cyber security and data protection will continue to be major topics of focus for in-house lawyers in 2019, with the heavy emphasis on protection of personal data, GDPR compliance and the avoidance of high-risk data breaches.