21 December 2015
2015 was the year of the cyber-attack, with TalkTalk, Ellen Conlin Hair & Beauty and Morrisons Supermarkets all experiencing the devastating effect of different types of cybercrime. What next?
The Ellen Conlin attack highlights that businesses of any kind can be targeted by hackers for financial gain. The company that hosted Ellen Conlin’s database had to pay a ransom of 1,000 Bitcoin (£238,200) to unlock their appointments database. Morrisons is now being sued in a class action by 2000 former employees out of 100,000 after a disgruntled employee published personnel records online - hackers don’t need to be third party criminals.
|
|
The Boards of these companies would have had difficult operational decisions to make. Should they say nothing, or should they go public then reassure customers that no personal information had been compromised. As Talk Talk discovered, there are down sides to going public quickly with a potential figure of four million customers data affected, when the final number is 157,000. Talk Talk estimates that the cyber attack cost it £35 million to manage. Reputation management of cyber-attacks can suck in huge amounts of management time. Solicitors and a PR agency may need to be involved.
Cyber crime statistics show 2.5 million cyber-crime incidents from 2014 to 2015 in England and Wales. PWC’s latest report for the year to June 2015 stated that 90% of large businesses and 74% of small businesses surveyed reported a security breach. The cost of the worst single breach suffered by organisations surveyed was between £1.46 million and £3.14 million including business disruption, lost sales, recovery of assets, and fines & compensation.
But wait, we were the victim...
This was the approach of TalkTalk after its attack in October 2015. But it cuts no ice at all with the Information Commissioner. Previously victims of hacking have still been fined up to £200,000 by the ICO for having inadequate security measures in place or hanging on to redundant data. When the new EU Data Protection Regulation comes into force in 2017, data breach fines will increase significantly, to the higher of €1m or 4% of global turnover, so hypothetically, the maximum data breach fine for Talk Talk would rise from £0.5 million to £72 million.
Compensation under the DPA
Cyber attacks resulting in the loss of personal data carry another risk. 2015 saw the Court of Appeal make it significantly easier to claim damages under the DPA. The Vidal-Hall case decided that compensation may be payable if the data breach has caused simple distress, obviating the need to demonstrate pecuniary loss as well. So if the Morrisons’ class action were to result in compensation of £1000 per claimant, that is a £2 million liability.
“We’re OK - we’ve got cyber risk insurance.”
Oh really? In a survey earlier this year 52% of CEOs confidently believed they had insurance coverage against cyber risks. Sadly, only 10% had any cyber cover. Only 2% of that was a dedicated cyber policy. Cyber insurance is an emerging market. Cover under cyber policies can range from direct financial loss to paying for technical expertise and the cost of reputation management, but it could save your business from a great deal of pain.
How best can you protect your business?
Talk to us. We have a specialist Data Protection Defence team with experience of engaging the Information Commissioner. We can provide advice about how best to avoid a data breach and to ensure that you have everything in place to avoid breaching the DPA. If something does occur, BTO’s specialists can advise how best to handle the situation to minimise the impact on your business. We’ve also been driving the debate on cyber insurance at events in London and Scotland. So Merry Christmas – and remember to put cyber insurance on your Santa list!
Contacts:
Paul Motion, Partner & Solicitor Advocate prm@bto.co.uk T: 0131 222 2939