updated on 10 October 2017
QuestionWhat are the implications of cyber-attacks for businesses and what can they do to prepare?
The increasing frequency with which reports of cyber-attacks and data breaches are appearing in the news has put the issue of cyber security at the forefront of many businesses' minds. Almost all businesses will be in possession of data which could potentially be vulnerable to cyber-attacks. Customer personal data is especially vulnerable to exploitation by hackers, whether through data breaches or by locking businesses out of the data using methods such as ransomware. In light of this increasing threat, what risks do cyber-attacks pose to businesses, and what steps can be taken to mitigate these risks?
Suffering a data breach could financially impact a business in a number of ways. First, if the breach involves the loss or theft of personal data, the business could be subject to a fine by data protection authorities. In the United Kingdom, we have seen the Information Commissioner's Office (ICO) become increasingly bullish in their penalisation of businesses suffering data breaches. In October 2015 the regulator levied a fine of £400,000 on TalkTalk for security failings that allowed an attacker to access customer data, including bank account details. The company was fined again in August 2017 for risking the security of customer data it shared with an IT services company without adequate security measures. While the maximum fine the ICO can levy is limited to £500,000, the stakes will be raised by the introduction of the General Data Protection Regulation (GDPR) from May 2018. Under the new rules, the level of potential fines will increase substantially, to a maximum of the higher of 4% of a business' worldwide annual turnover or €20,000,000.
Another potential cost to a business, particularly in cases of customer personal data being stolen, is damages. Under the current data protection regime in the United Kingdom, any individual who suffers 'damage' as a result of any breach of the rules by a data controller, is entitled to compensation. The meaning of damage in this context has been much discussed by the courts and while very few claims for compensation have been brought by individuals, there are examples where they have been successful. For example, in 2016 a former police officer was granted £9,000 in damages after her personal information was improperly accessed by police forces.
Given the greater profile that data protection will be given following the implementation of the GDPR, we anticipate that the number of compensation claims brought by individuals affected by data breaches will increase. As such, the adverse effects of a cyber-attack on an organisation storing personal data will likely only increase in the future.
The financial implications of a cyber-attack may also extend beyond any compensation or penalties imposed. If an organisation's business practices or IT systems left the data particularly vulnerable to theft, an overhaul of how that organisation deals with the data it stores may be necessary. This may require consultation with external experts, and significant upgrades to its systems, all of which could be very costly.
For some businesses, especially those which are consumer-facing, the damage that a highly publicised data breach could do to their reputation may impact them far more than any financial ramifications. During Verizon's takeover of Yahoo, Verizon publicly acknowledged that the Yahoo data breach could have caused them to walk away from the deal altogether.
Similarly, following its announcement that personal information of up to 143 million of its customers may have been compromised, Equifax is not only facing several high value law suits, but has also suffered extensive negative publicity. The credit agency was strongly criticised for its response to the attack. Three senior executives, including its chief executive, have left the company as a result.
The threat of cyber-attacks will also be a real concern to law firms. As businesses, they will process a large amount of data, including confidential information relating to their clients. At the time of the NHS ransomware attack, the ex-deputy director of the UK government National Security Secretariat highlighted law firms as potential targets. In June this year, a well-known commercial law firm was hit by a ransomware attack, temporarily knocking out its IT systems. Therefore, as well as advising clients on their own responsibilities as controllers of personal data, law firms must also ensure that their businesses operate stringent and secure data protection practices.
Of course, personal data of customers is not the only category of data that could be in a business' possession. Businesses will possess a large amount of data that they wish to keep confidential. This could be the customers or suppliers they have contracts with, the expertise they have developed internally or trade secrets integral to their business. Although an extreme example, the formula for Coca-Cola syrup is supposedly only in written form and known only to a handful of people, rendering it far less vulnerable to cyber-security issues and helping the company retain its advantage over competitors.
There are a number of preventative steps that businesses can take to reduce the risks posed by cyber-attacks. First, businesses should only ask for personal data that they need. Collecting unnecessary data creates unnecessary risk in the event of a breach, not to mention that such collection in itself would be a breach of data protection legislation. Similarly, businesses should also periodically review the data they possess, and have effective mechanisms for deleting data that they no longer need to retain. The less personal data an organisation possesses, the less the impact of any breach of that data will be, both to the organisation and the subject of the data.
Second, businesses should maintain adequate and up-to-date IT systems and practices which are regularly tested to assess their vulnerability to cyber-attacks. They should also carry out due diligence on any third party IT providers that process personal data on behalf of the business (eg, those that rely heavily on the Cloud for data storage) to ensure that they are also compliant with applicable legislation.
It is also a good idea to have a data incident response plan in place, so that if a business does suffer a cyber-attack, it can invoke the plan, respond and address the ramifications quickly and efficiently.
Insurance against the financial risks posed by cyber-attacks is also becoming increasingly common. As always, businesses should always review the small print of any such insurance policy to ensure that it gives the business adequate protection.
Cyber-attacks will only become more prevalent as businesses increasingly rely on technology driven processes and digital storage, and as personal data is exploited in ever more sophisticated ways. As such, and given the immense damage that a cyber-attack can do, it is imperative that businesses start to treat cyber-security seriously and as a board room issue.
Tom Hunt is a paralegal in the commercial, IP and technology department at Travers Smith. He will start at the firm as a trainee in September 2018.