Cyber attacks on large institutions like the NHS or companies like British Airways naturally dominate the headlines when they occur. But cyber crime is now also a major concern for many of the small and medium-sized businesses we represent.
The FBI reported in 2016 that there was an average of 4,000 ransomware attacks each day. For SMEs these attacks can be devastating. As the recent £60,000 fine on a small Berkshire-based video company shows, the size of your firm is no defence to any breach of data protection law. Even when the breach is a direct result of a criminal hack. If you are handling personal data you’re subject to the law in the strictest sense. In addition to the threat of regulatory fines (likely to increase substantially with the advent of GDPR), cybercrime presents two more obvious threats. First, reputational and financial damage to your core business. Second, the financial threat posed by claims for damages by affected customers.
With so much at stake it’s crucial to ensure you have the right systems in place to both protect your business and minimise the fallout from any attack. If you have concerns you should seek specialist legal advice.
BOOMERANG VIDEO – A CAUTIONARY TALE
At first sight the Information Commissioner’s Office (ICO) £60,000 ICO fine mentioned above on Boomerang Video might appear harsh. Here was a small company, the victim of a criminal cyber attack, its brand name ruined being asked to pay a potentially ruinous fine. But the facts are pretty startling. In finding that Boomerang had failed to implement appropriate technical and organisational measures to protect customer data, the ICO established that:
- Hackers were able to get names, addresses, account numbers, sort codes AND the card security codes for more than 26,000 Boomerang customers
- The password for one section of the company website was a simple dictionary word based on the company name
- While some information was encrypted the encryption key was not secure
- The site had been insecure for ten years
The case should act as a lesson to all SME owners of how not to handle personal data. In its decision the ICO indicated that its motive for imposing such a high fine was to ‘promote compliance’ with the Data Protection Act. It was taking the opportunity to remind data controllers to ensure that appropriate and effective security measures are applied to personal data. The ICO provides useful online tools that enable businesses to assess their level of data compliance. But if you have serious concerns that your procedures aren’t secure you should consider instructing a cyber security lawyer for advice.
ARE YOU READY FOR NEW DATA PROTECTION RULES?
Tighter data protection laws come into force in the UK next year. Under the General Data Protection Regulation (GDPR) companies may face much harsher financial penalties than under the current system. In fact it has been estimated that the fines levied by the ICO last year would be 79 times higher under GDPR.
Of course fines aren’t the only concern of companies facing cyber security breaches. Commercial hacking victims face sometimes irreparable damage to their brand. And if Google believes a site has had malware installed it may blacklist it. So visitors will see warning messages (‘malicious site’.. ‘possibly compromised’ and so on.) These warnings have the potential to kill traffic to your site and destroy any online business you had built up.
In addition, as the developing Equifax case shows, customers of businesses that have been hacked are more prepared than ever to take a legal claim for damages. That case involves a data breach of information on 143 million Americans and an undisclosed number of UK citizens and Canadians.
Although it’s impossible to guard against every cyber attack on your business, specialist legal advice can ensure you have the correct security and compliance measures in place to minimise the threat. Maintaining robust systems can also act as a defence to potential claims or regulatory intervention. Big Data Law focuses on cyber security law and related matters. We help companies prepare for GDPR, ensuring procedures are in place for data to be handled securely. In addition we represent companies facing regulatory intervention and other claims resulting from cyber attack. You can contact us by phone on +44 (0) 7545 813 894 or contact us online.