The National Cyber Security Centre says UK businesses were victim to more than 500 significant cyber attacks in the last 12 months. High profile targets like US credit agency Equifax and London-headquartered accountancy giant Deloitte attract the headlines. But smaller businesses are targets too. With the forthcoming implementation of GDPR – and with it much more significant penalties for mishandling data – it’s crucial that your organisation has the right systems in place to comply with the law and guard against attack.
Big Data Law in London helps businesses across all sectors prepare for GDPR with targeted advice and data security audits.
THE EQUIFAX BREACH, AN UNFOLDING STORY
By any standards the Equifax security breach was massive, In September the corporation confirmed that hackers had successfully gained access to the sensitive personal information of 143 million American consumers. In the UK 694,000 consumers have been affected with phone numbers, driving licence details and email addresses stolen. So the breach is not just academic. It could have real, negative consequences for the individuals involved. There are suggestions there could be large-scale fraud, targeted scams and identity theft. Many Equifax customers are threatening to sue the organization. So it’s not surprising that this week the Financial Conduct Authority has launched an investigation ‘in the public interest’.
HOW WOULD GDPR IMPACT EQUIFAX?
Equifax is now subject to a US Senate hearing as well as the FCA intervention we’ve mentioned. Deloitte is under investigation by the US Attorney’s office. So both companies will face the full rigour of the law. But they may be thankful that the breaches occurred before GDPR came into force. Even though the majority of customers affected in these cases were American, the breaches would have been caught by GDPR because EU citizens were also affected. That’s because GDPR applies to all companies that store or process information on EU citizens.
Under GDPR there is a maximum fine for breaching data protection principles of €20 million or 4 per cent global turnover (whichever is the greater). Equifax has a turnover of $3 billion, so any fine is likely to have been hundreds of millions of dollars. An additional fine of €10 million can be imposed if the company targeted does not report a breach.
HOW WE CAN HELP
Your organisation might not have the resources of global giants like Deloitte and Equifax. Or the turnover. But you could still face ruinous fines if you are the victim of a cyber attack or found to be in breach of data protection principles. We offer specialist guidance on all aspects of GDPR and related data security issues. Our GDPR gap analysis service provides firms with the reassurance that their data security policies meet with best practice and that robust procedures are in place. This minimises the threat of any attack and the fallout of any internal error in data handling. Sometimes serious breaches occur because of minor flaws in a firm’s security. For example in the Deloitte cyber breach hackers compromised a cloud-based server containing more than 5 million emails of 350 clients. Access to the server in question was only secured with a single password. There was no two-step verification procedure in place. This is the kind of weakness a review of systems can expose – before it’s too late.
To find out more about the data security advice and services we provide call us on +44 (0) 7545 813 894 or contact us online.