[BreachExchange] The Rules: View your business as a data company or pay the price

Fri May 13 15:55:14 EDT 2016

http://www.financialdirector.co.uk/2016/05/13/the-rules-view-your-business-as-a-data-company-or-pay-the-price/

COMPANIES processing personal data already have a duty to ensure that there
are appropriate technical and organisational measures to protect against
breaches. When they fail, the Information Commissioner’s Office (ICO)
currently has the power to impose fines of up to £500,000.

That figure may be enough to see the value in taking appropriate measures
to reduce – you can never eradicate – the risk. However, when you consider
the average cost of a data breach is said to be between £600,000 and £1.5m,
the need to take protective steps is obvious. When the General Data
Protection Regulations (GDPR) supersedes the Data Protection Act (DPA),
which is due in 2018, the balance tips even further towards taking action.

Under the GDPR, the ICO will have the power to impose fines for data
breaches, depending on the nature of the breach, of up to 4% of a business’
global turnover or €20m (£15.7m), whichever the greater. In addition to the
fine, the real cost will include the direct associated costs with handling
the breach; any compensation that might be payable; and the reputational
harm caused by the breach. The latter may be unquantifiable, but in extreme
cases it may be terminal. Does anyone expect Mossack Fonseca to be in
business in 12 months?

When a breach occurs, a business needs to know what it is facing. The hack
last year on TalkTalk costs the company at least £50m, not helped by the
fact that it had no idea at the outset how many customers were affected or
indeed how the breach had occurred.  Whilst the reality was less than first
feared, it is no coincidence that some 250,000 customers are said to have
left TalkTalk in the wake of the incident. Had the company been better
prepared – this was the third attack in about six months – and actually
understood the extent of the problem straight away, much of the harm would
have been avoidable. As ever, how a business deals with a crisis says a
great deal about it: a crisis can damage a brand, but it can also enhance
it.

In replacing the DPA, the GDPR builds upon and extends the current law.
The “integrity and confidentiality principle” will continue to impose an
obligation to process personal data in a way that ensures “appropriate
security” by using “appropriate technical and security measures”. What is
“appropriate” will take account of such factors as the nature of the
information, the purpose of the processing, the organisation’s capacity,
the costs of protection and the risk of loss or unauthorised use.

The GDPR will also impose upon businesses processing personal data a duty
to:

co-operate with the ICO;
process data securely by appropriate means such as encryption; to be able
to restore information effectively; and to test systems regularly;
notify the ICO within no more than 72 hours of a breach unless it is
unlikely to affect the rights and freedoms of those affected;
notify individuals that the security of their data has been breached; and
follow any relevant sector regulatory codes.

These duties will be enforced by the ICO having the power, amongst others,
to carry out investigations; to obtain access to a business’ premises; and
to ban processing for a defined period of time. The ICO will be no
toothless regulator.

When examining what happens today in the best prepared organisations, the
GDPR can effectively be seen as imposing best practice to minimise data
breaches by way of regulation.

Use the time wisely

2018 may be thought to be some way off: it is not. It will take almost any
organisation some 18-24 months to put in place the necessary technical and
organisational processes in order to comply with the new regime. Some
companies may be close to the level of protections appropriate for their
business. There are accreditation schemes to which organisations can apply
and become accredited (e.g. Cyber Essentials Plus and ISO27,001). However,
preparation should include:

proper personnel vetting procedures for all staff and casuals;
a suitable rolling training and education programme;
appropriate levels of technical protection;
clear policies of use for IT systems and devices and appropriate employee
confidentiality obligations;
consideration of those obligations the company should look for in suppliers
and other external stakeholders;
establishing a crisis management plan to deal with data breaches;
a business continuity plan in the event of a denial of service attack;
as well as identifying your internal leadership and crisis management team,
know who your external advisers will be in case of a breach (e.g. computer
forensics, lawyers and communication experts)
considering the appropriate level of insurance; and
conduct simulations and regular reviews. Practice makes perfect.

Conclusion

A business today needs to view itself as a data business as much as it
considers itself to be a manufacturing or service company. Only then will
it fully address the risks it faces. Cyber protection should be a board
matter. It is simply too important, both financially and reputationally, to
ignore. As much as it is necessary for a business to meet its legal
obligations, the ability to attract and retain customers may depend on it
meeting best practice.  Some sectors, such as banking, already demand
appropriate protections. Technological developments have created amazing
opportunities, but simultaneously significant risks which are global.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160513/2bb37a86/attachment.html>