Hacks occur every 39 seconds, with 95% of them targeting governments, retailers and the tech industry. If the hackers are caught, they'll face prison time under the Computer Misuse Act. More often than not, the businesses who are victims of those attacks expose themselves to punishment of their own.
The laws that determine the duty of protection owed to businesses and their customers is both vague and broad, making them question just how much protection is enough. Do you worry that you're not doing enough to protect yourself and your customers? You aren't alone.
Penalising the victims
In October 2016, TalkTalk Telecom Group PLC was issued the Information Commissioner’s Office's (ICO) largest ever fine: a staggering £400,000. The reason for this was because they were the victim of a cyber attack. Under GDPR regulations, you could be fined the higher of €10m or 2% of your business’s global annual turnover, for being the victim of cyber crime and failing to adequately protect your customers' data.
TalkTalk isn't alone. In 2015, hackers stole and publicised data from 37 million users from the affair website, Ashley Madison. The total cost of this breach, including fines, fixes and estimated loss of revenue cost the parent company, Avid Life, £1.2 billion in the UK alone.
Data breaches from hackers cost businesses more than just the loss of data and reputation. So why are so many businesses fined for being victims of breaches?
Vague tests are vague...
The Data Protection Directive and the UK Data Protection Act both require a data controller (someone who has access and responsibility for the protection of data) to “implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access”. That's it. "Appropriate". This vague measure of protection can make it difficult for businesses to know how far they have to go to avoid being fined after an attack.
How much data protection is appropriate?
Do you need to seal your servers in a lead-lined vault at the bottom of the sea? Opt for security through obsolescence by recording all your customer data on punch cards? Invest billions in state-of-the-art cyber security when your business only makes £100,000 a year? The ICO has no minimum threshold for the protection of data.
But historical data suggests that at the very least, some level of encryption should be applied to business terminals and devices that can access customer data. Common sense seems to be the guiding principle of providing appropriate data protection, but we know that basic encryption of devices simply isn’t enough in many cases to deter hackers or the ICO. Just last month CCleaner, a popular piece of antivirus software, was hacked, exposing over 2 million users to malware. So even having antivirus measures can expose you to risk.
In the case of TalkTalk, the ICO determined that “in spite of its expertise and resources, when it comes to the basic principle of cyber-security, TalkTalk was found wanting.” This statement demonstrates that your level of data security needs to be scaled along with your resources. Data security needs to be an active IT issue, rather than a passive box-ticking exercise.
...but they are vague for a reason
The terminology of the Data Protection Directive and Data Protection Acts is very deliberate. The digital world moves at such a pace that it can be almost impossible to keep the law updated. For a quick example, look at copyright laws and how they fail to encompass the implications of YouTube, fair usage right and ownership of content.
A vague and broad directive allows for unforeseen changes in technology to be retroactively applied without the need to rewrite a law and push it through the legislature. A law that is certain in its principles, however vague, is better than no law at all.
Determine the risk
When considering your data protection strategy, attempt to quantify how much it would cost your business if your customers’ data or your price lists were exposed. TalkTalk lost £60 million and over 100,000 customers as a result of their hack. So consider, does the investment in IT security outweigh the cost of a data breach?