Business Law & Compliance
Doing business online? Ensure you don't get penalised for data protection breaches
6 min read
23 May 2017
The UK government launched its five year National Cyber Security Strategy in November 2016, investing £1.9bn to protect UK businesses from cyber attacks and make the country the safest place to live and do business online.
This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns, such as Cyber Aware and Cyber Essentials, to ensure those doing business online have expert guidance on hand.
More recently, the government produced a report into cyber security breaches, based on a survey of over 1,500 UK businesses. It found that just under half of all UK companies suffered at least one cyber security breach or attack in the last 12 months, yet only one in ten have a cyber security incident management plan in place. Only a third have a formal policy that covers cyber security risks.
The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place. It is no wonder bosses are confused about what to do to protect their companies and the data they hold.
The danger of doing business online lies in not sufficiently addressing problems, perhaps because it seems impossible to eliminate the threat completely, or by being put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.
But failing to adopt and maintain appropriate security measures could be considered a breach of directors’ duties under the Companies Act 2006. Directors that don’t address cyber risks could face fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA.
From 25 May 2018, the new General Data Protection Regulation (GDPR) comes into effect. Security of personal data is a key feature of the GDPR, building on the existing data protection principles and security requirements in the Data Protection Act 1998.
Businesses will need to review security measures, especially when electronic personal data are processed. This is particularly important for companies handling personal data online; the government survey shows these companies are more likely to suffer a breach, with the majority of attacks coming through fraudulent emails, viruses and malware.
There are severe penalties for data protection breaches under the GDPR, including fines of up to €20m or four per cent of a company’s global annual turnover, whichever is higher, so there is a need to deal with cyber security, whatever the size and scope of the business. How to manage the threat must be an issue considered at board-level by senior management as cyber security issues will impact the overall business strategy and operations.
While there are clearly advantages of company and personal data being accessible online, in the cloud and on personal devices, at any time and from any location, the disadvantages cannot be overlooked. Although cyber risks, including ransomware, hacking and malware attacks present a constant threat and are a growing concern for everyone, bosses doing business online must do more to protect themselves.
The government’s recommended Cyber Essentials scheme includes a range of technical controls, which, if adopted, can give you certification that you meet basic cyber security standards. These include:
1) Boundary firewalls and internet gateways;
2) Secure configuration;
3) Access control;
4) Malware protection; and
5) Patch management.
Obtaining a Cyber Essentials certificate enables bosses doing business online to show customers, investors, insurers and others that it is taking these essential precautions to protect against online threats. It is a minimum standard, however, and many companies will already meet these requirements, such as ISO 27001.
Unfortunately, hackers will still try to breach security and manipulate systems and people to gain access to valuable company information and personal data. Companies are therefore encouraged to invest in training for all staff, not just those in information security, as it is clear that the majority of breaches involve employees, with phishing, viruses and ransomware attacks, as well as technical security issues.
Finally, despite mixed responses from businesses who have taken them out, cyber insurance policies should be considered as part of any cyber security program. Bosses should carefully examine the level of coverage available and ensure that they can meet the minimum standards applied by the policy for it to be effective, but investing in insurance cover is an appropriate response to the cyber security threat.
Andrea Ward is senior associate at McGuireWoods London