Cyber attacks are a real threat for businesses. A cyber attack on your business that exposes personal or confidential data could have several nasty consequences for your business, including:
- financial loss from stolen funds or a loss of income from an inability to operate your business as usual
- claims for breach of contract if you do not meet your contractual obligations to comply with data protection legislation
- regulatory fines for non-compliance with GDPR or the Data Protection Act 2018
- reputational damage as consumers lose faith in your ability to securely process their data
New and smaller companies are often seen as targets by cyber criminals because they lack the IT resources and legal know-how of larger businesses. If you have any questions or concerns, our data protection solicitors can help you manage the risks of a cyber attack.
- What are the common types of cyber-attack?
- Assessing a cyber risk
- Continuity planning
- Employee liability
- Data breach reporting to the ICO
- Could customer contracts be affected?
- Could our organisation receive potential penalties?
- What about insurance - Can this protect my business?
- Best practice tips for your business
What are the common types of cyber-attack?
The National Crime Agency lists the following as the most common cyber threats:
- Hacking – This is a method to obtain unauthorised access to data. This can include gaining access to people’s social media and email accounts. Hackers are a force of nature that can bring down rival competitors, and dependant on the extent of the hack, also cause a great extent of reputational damage, it can affect profitability and the potential survival of an organisation. One example of a major hack was where a British male was arrested for hacking into Twitter accounts belonging to former President Barack Obama, and other major celebrities. The hacking was for financial gain of more than $100,000 worth of bitcoin. It appears that whilst financial gain is a nuisance, it’s still regarded as better than an attack that’s motivated by chaos and destruction.
- Phishing – This is where clever social engineering entices the user to clink on a link that may download malware or direct them to an unsafe website. There are many ways that phishing can be communicated, whether it’s via text message, email or even social media. Although, phishing is historically a term that describes attacks via email. These emails have the presence of a legitimate email with a legitimate link, sent to the user designed to grant attackers access to the user’s device to control it, install malicious scripts/files, or to extract data such as user personal or financial information. Phishing can be extremely dangerous as it can install malware software, which can be used to hold files to ransom, which may not be released until the owner pays, what can be, a substantial amount of money.
- Distributed denial of service (DDoS) – This is a malicious attempt to flood a server or network with internet traffic so it’s practically unworkable. Where a cyber-criminal launches an attack from a single host, it's called a DoS attack, however, where many systems are used to launch attacks, this is known as a DDoS attack. According to NBC News, UK GCHQ (UK Intelligence and Security Agency) used a DDoS attack (according to Edward Snowden leaks) to shut down a chatroom with communications amongst Anonymous hacktivists.
The National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) have jointly written a new threat report providing an analysis of the evolving threat, together with an overview of the practical steps the UK can take together. Find out more on the NCSC website.
Assessing a cyber risk
The best way to assess cyber risk is to conduct a cyber security risk assessment (CSRA). This will help identify, analyse, and evaluate the risks that apply to the line of business, as well as any gaps in the information security procedures, including any technical measures that need implementing to keep data secure. An organisation is unable to make any security decision without an assessment of its risks. Many have done so but failed as it often leads to excessive cost and a waste of time.
The ISO 27001 is an international information security management system (ISMS) standard. This framework of policies and controls is one way to define an organisation's information risk management process and would certainly help in implementing measures to keep hackers as far away as possible.
There is no doubt that an organisation’s business continuity plan (BCP) should cater for the continuity of activities and services in the event of a cyber-attack. Good continuity planning should identify every potential risk with a set of speedy solutions to ensure that business can continue as usual. After all, the organisation should be ready for any disaster that conforms to the business, to keep it running no matter what problem arises. Our solicitors are specialists in their field and will be able to help identify your risks and how to manage them. They can assist in drafting your BCP taking into account, the size and nature of the business and any risks that may follow from your risk assessment(s).
Negligence or human error - both are typical scenarios and unfortunate, but it happens in real life. However, who is liable? Unfortunately, it is the organisation, most of the time. So, it’s of the utmost importance to factor in these threats in any cyber security risk assessment and continuity planning. At times, it’s pure ignorance or lack of training which is the reason an employee may click on a phishing link or browse risky websites. Both incur threat to the organisation. It’s therefore essential that there is regular training on cyber risk and what employees can do to prevent cyber-attacks. Controls can be put in place such as role-based access, escalated approval for certain processing of data, but in the end, an organisation should have appropriate cyber insurance just in case something goes wrong.
When it comes to rogue employees, this has been subject to much speculation, especially in light of the Morrison’s case. Some organisations find the ruling in the Morrison’s case as helpful precedent regarding whether they need to respond to the behaviour of a rogue employee. The Supreme Court ruled in favour of Morrison’s, stating it could not be held liable when their disgruntled employee uploaded payroll data of thousands of employees to a publicly accessible website. The Supreme Court decided that:
- Disclosure of the data was not sufficiently connected to what the employee was allowed to do in the course of his employment with Morrison’s
- It was ‘abundantly clear... that the employee was pursuing a personal vendetta against his employer’
Organisations should take heed and create awareness on disciplinary procedures for insider malice.
It is also important to note that should there be any failure on behalf of the employer then the employer will likely be directly or vicariously liable.
Data breach reporting to the ICO
Depending on what kind of data has been comprised, there may be a need to report to the Information Commissioners Officer (ICO). Where there has been a breach of personal data, once you have established the likelihood of the risk to people's rights and freedoms, you must notify the ICO. Should there not be a risk, then there may not be a need to report. In any event, this would lie at the heart of the data protection officer’s decision-making process. It is necessary to have in place a breach reporting procedure that is communicated and adhered to, so employees are aware of who needs to be informed should there be a breach. A personal data breach needs reporting to the ICO within 72-hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, then those individuals also need to be informed, without undue delay.
The self assessment on the ICO website can help assess whether a personal data breach is reportable to the ICO.
Could customer contracts be affected?
If you are a supplier (of products or services) organisation, rule 101 is to check the contract. As a supplier or a sub supplier, the obligations to report may filter up or down the chain and may impose time limits. Often these time limits are not short of around 48-hours, this is to give the ultimate client the leeway to be able to report the breach to the ICO within the 72-hour window. Data that is considered important usually contains identifiable data, financial data or trade secrets. Not all the former may contain personal data, but contracts may cater for instructions on breach reporting time limits, indemnity, liability and at times an immediate audit. Such things can lead to discussions for renewal of terms, pricing or termination of services. This is why any sub processor must enter into similar onerous obligations as their client(s). This is to ensure that liability can filter down the chain.
In practice, it’s hard to find where contracts are located, who owns them, what it says and whether the terns are implemented in business. A good contract management system can assist in swiftness and efficiency in light of a breach. A supplier risk management process should also be robust where risks have been assessed prior to negotiating any contract. The assessment should be considered carefully in line with the organisations’ risk appetite.
Could our organisation receive potential penalties?
A cyber-attack that leads to loss of personal data will incur substantial fines. It is highly likely that any data would contain some, if not minimal, personal data. The higher maximum amount an organisation can get fined is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. Usually in practice, the higher amount would apply to a failure to comply with any of the data protection principles, any rights an individual may have under Part 3 of the Data Protection Act 2018 or in relation to any transfers of data to third countries. Should there be any breach of administrative requirements, then the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher. Fines can lead to reputational damage as well as business sustainability.
In October 2020, British Airways was fined £20 million for security failings that facilitated a cyber-attack, this led to personal data of 429,612 customers and staff being accessed. This followed a year after being fined £183million where the data of 500,000 customers was compromised. The ICO is taking no prisoners and are being forceful in imposing substantial penalties.
What about insurance - Can this protect my business?
Cyber liability insurance is aimed at protecting an organisation from data breaches or malicious cyber hacks on work computer systems.
Cyber insurance should be factored in, once you have conducted your cyber risk assessment and your continuity planning, as this is the only way the organisation will strive to survive in the event a cyber-attack occurs.
Cyber liability insurance can cover the following:
- First party cover - The organisation is the first party, so this covers you. It should cover for your losses that follow from a cyber-attack, such as clean up from malware, or costs incurred for responding to the attack. Some insurance companies may also pay ransomware ransoms, and for loss of business during any clean-up or downtime.
- Third party cover – This relates to loss or damage to others that claim your business is liable to them for damage they suffered as a result of you having suffered a cyber-attack. This may relate to your sub processors that flow up or down the supply chain.
Getting cyber insurance is sensible, especially in this day and age, the more technology we use to process data, and the more data we process, the higher the risk of a cyber breach. It can certainly protect your business, it can even assist in providing assistance for a PR campaign, following any reputational damage.
Best practice tips for your business
- Conduct a cyber security risk assessment and update regularly
- Ensure your business continuity plan is updated regularly
- Obtain relevant cyber liability insurance
- Ensure your data is backed-up
- Provide regular tailored training; inter alia, put in place strong passwords, encrypt data
- Conduct regular software updates
- Ensure the devices have end point protection (anti-virus)
- Use virtual private network (VPN) if connecting to open networks
- Use multi factor authentication where possible
- Have adequate 'bring your own device'(BYOD) procedures in place