WELCOME TO CHARLES RUSSELL SPEECHLYS.
We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
Otherwise, we'll assume you are OK to continue. Please close this message
Criminal liability of hackers and other online criminals has been part of UK law since the Computer Misuse Act 1990. At the global level, various jurisdictions have existing digital-crime related offences in one form or another. Notably, the Budapest Convention on Cybercrime signed in 2001, required countries acceding to it (which included the United States, Canada, Japan, South Africa, etc.) to criminalise various acts that are considered misuse of public networks and unauthorised intrusion into devices.
The increase in online activity involving financial elements in the 1990’s brought about a natural growth in financial gain focused digital-crime in what was a rudimentary digital security environment. Further solutions were required. At EU level, the introduction of the Data Protection Directive in 1995 (Directive) legislated for the first major requirement to implement ‘an appropriate level of security’, which applied to all businesses inevitably processing personal data. Following this, the UK has adopted equally ‘loosely worded’ industry specific digital security requirements, for example, in public electronic communication networks and financial services industries.
The Directive required data controllers to put in place technical and organisational measures which would “ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected”. Advising IT professionals on what this actually means is difficult, not least due to the rapidly changing state of art. In 1998, when the Directive was implemented into national law, the available computing power may have struggled with simultaneously running the operating system, applications and encryption software. The implementation of solutions would be costly in part due to these demands on hardware and in part due to the developing security software. In addition, the understanding of the ‘risks inherent in the processing’ was perhaps focused on any pecuniary damage that the data subject could suffer, rather than any distress. Indeed, more often the actual damage would not be pecuniary but non-material.
However, the landscape has changed since 1998. On the one hand, non-material damage has been making headwinds (Google v Vidal-Hall ) and, on the other, the understanding of the value of data has shifted due to the increased potential of business analytics, as well as new techniques of fraud. This changing environment is addressed by the recently adopted General Data Protection Regulation (GDPR) but also in other legislation, such as the Network and Information Security Directive, which is expected to enter into force in August and will be subject to a 21 months’ implementation period.
The new security requirements under the GDPR take into account the data protection authorities’ past experience and the new digital environment, in which cyber-criminals operate as businesses and trade personal data in underground data markets, where, for example, the credit card details of a Ukrainian citizen are worth $0.20 and those of a US citizen $2.00. Rather than carrying out a denial of service (DoS) attack, cyber-criminals would only forewarn the corporate victim of their attack and ask for a ransom to prevent it. Repeating this a thousand times each month with a 10% success rate leaves the cyber-criminal with a nice monthly income.
The GDPR requires that “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk … account shall be taken in particular of the risks that are presented by processing … which could lead to physical, material or non-material damage.”
The GDPR helpfully spells out what processing may present risk of damage. This includes, processing that may give rise to discrimination, identity fraud, professional secrecy; processing where data subjects may be deprived of their rights or control over their data; processing that may lead to disclosure of racial, religious, genetic and other special categories data; evaluation of personal aspects, such as work performance, health, reliability or economic situation; processing of vulnerable persons’ data and processing on a large scale. In conclusion, risk of damage may result from most of the processing that will take place in a corporate environment. From a security point of view, risk of non-material damage may not be dismissed as negligible.
IT professionals often ask us what are the specific requirements which they must implement in their organisation? To their disappointment, the answer is often vague: “Carry out a privacy assessment, consider the risks and implement appropriate measures.” But let us look closer at what this means.
But what specific technical and organisational measures may be required under the GDPR? The state of art has moved on since 1998 in terms of computing power and devices will now smoothly run any well-implemented encryption software in the background. The latest security software has real-time detection, prevention and remediation capabilities. The cost of implementation could be substantial, especially for SMEs with no in-house IT capabilities. However, there are a variety of solutions in the market and even a modest security package, which ought to be more cost-effective, will probably elevate your business to a much more appropriate level of compliance.
Please see below what we believe would be the minimum requirements for SMEs, not processing personal data as the core business. It should also be noted, that if your organisation, for example, only processes HR related personal data, the requirements may be limited to your HR processes, servers, personnel, etc. and all other data may be subject to less stringent security measures equal to the standards adopted in your industry.
Please note that the list below is based on assumptions and is intended for guidance only. It may not be relied on without carrying out a privacy impact assessment and obtaining security and legal advice. The GDPR does not specifically mention these measures, but on the basis of commonly adopted security measures and trends in enforcement action by data protection regulators, we can safely assume that these requirements are indeed a requirement. It is also important to mention that the requirements set out below are not new and will to a large extent also likely apply under the current legislation.
In addition, the GDPR imposes the same data security requirements on data processor. Data controllers’ obligation to select data processors “providing sufficient guarantees” in terms of security will remain but the contractual obligations that the controller has to impose on its processor will focus on those that will “assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of … data subject's rights”.
Generally, we would recommend larger businesses to implement the ISO 27001 standards. However, given that the certification process can easily take up 4 – 12 months of staff and management time and prove to be quite burdensome, it may not be suitable if your personal data processing activities are minimal. On the other hand, these considerations may be outweighed by your clients’ requirement that you meet the ISO 27001 or ISO 27032 standards. SMEs should comply with at least the standards advocated for by the UK Government’s Cyber Essentials Scheme, ideally the “Plus” version, which includes external testing. However, SMEs that regularly deal with larger clients may well have to take the ISO route in order to remain competitive and satisfy their clients’ needs.
Finally, every organisation should consider taking out a cyber-security insurance policy. Insurers will demand a certain standard of security and may be unable to quote if the responses to their questionnaires show gaps in your security framework. A £5 million indemnity limit is common and it is yet to be seen if the insurance industry increases it to cover the potential €20 million fines, which data protection regulators will be able to impose from 2018. It is also worth noting that even if a policy is approved, it may not pay out if an incident was caused by failed controls, such as, an unpatched firewall. For this reason and the reasons set out above, if your organisation engages in processing of personal data on a large scale, its commitment to security should be nothing less than unrelenting.
For more information, please contact Alexander Dittel on +44 (0)20 7427 6579 or at email@example.com.