Cybersecurity – The Victim Becomes the Law Breaker

Privacy & Cybersecurity Newsletter
April 2018

Every organization, however large or small, faces the threat of cyber-attack. Cybercrime is prevalent, and cybercriminals are becoming more and more sophisticated and operating for a variety of reasons, financial and political.

One might expect the law to have some sympathy with businesses that are victims of such crimes. After all, the victims will have suffered substantial inconvenience and may well have faced direct financial loss, including the payment of ransomware demands to cyber criminals and compensation to customers, as well as reputational damage and loss of goodwill. These factors alone make it imperative for businesses to have first class cybersecurity measures in place. 

But there is another reason to be cyber-prepared – the law has no such sympathy, at least not under the new European Data Protection law, the GDPR. The GDPR applies to all organizations established in the European Union, but also has potential application to many based outside.  (See “50 Days to the Great Data Protection Revolution.”) It comes into force on May 25, 2018.

Cybersecurity is a fundamental requirement of the GDPR. The GDPR demands that all organizations which come within its ambit must implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risks arising from holding and processing personal data. These are, in particular, the risks of accidental or unlawful destruction, loss, alteration and unauthorized disclosure or access. 

The GDPR spells out in general terms some of the cybersecurity measures that are expected and what they must achieve, namely:

  1. Pseudonymisation and encryption;
  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
However, the GDPR gives no more detail as to the precise cybersecurity measures to be taken to achieve the required standard of “appropriate,” other than to say that the state of the art, the costs of implementation and the nature of processing should be taken into account. To that extent, some may find this law disappointingly vague.

It is therefore left to organizations to determine for themselves what level of security is appropriate – taking expert advice if required. The starting point, though, must be the state of the art. This will change as technology marches forward, but current technical measures must, as a minimum, include: 

  • anti-virus, malware and spyware software
  • firewalls
  • encryption of data in transit and all portable devices
  • intrusion detection and prevention systems
  • regular software updates
  • data backup
  • user access control management
  • unique complex passwords with expiry on all devices on a not-too-frequent basis.

Certification to the ISO/IEC 27001:2013 standard will go a long way to showing that appropriate measures have been taken, and demonstrates adoption of information security best practice.

The GDPR not only requires high standards of data security. It also brings many more non-EU businesses within its ambit, and makes two other directly relevant and fundamental changes to data protection law. 

First, it requires that organizations that suffer a breach of data security in almost every case to report that breach to their data protection authority without “undue delay” and, where feasible, within 72 hours of becoming aware. All relevant details must be provided. In many cases, organizations must also report to the individuals whose data has been compromised. 

Second, the penalties for not having the appropriate security in place, or, indeed, for not complying with the above reporting obligations are now much stiffer. Whereas the maximum fine was previously on the order of hundreds of thousands of pounds or euros, the maximum for a breach of the provisions which specifically relate to data security is now the higher of €10 million and 2% of the annual world-wide gross revenue of entity concerned.

To conclude: while all organizations should be keeping their cybersecurity arrangements under constant review, those which fall within the GDPR are strongly recommended to carry out a major review immediately. In doing so, they must focus not only on their technology and everyday practices, they must also create and document procedures for complying with applicable law and reporting data breaches to their data protection authority and affected individuals.