Throughout the course of the last year, we saw a number of cyber threats and ransom driven hacks on large scale databases. In fact this time last year, the WannaCry ransomware was wreaking havoc in the NHS database, amongst others.
In a matter of days, the General Data Protection Regulation (“GDPR”) takes effect and with it comes a host of new compliance requirements for the handling of personal data by businesses of all sizes; no matter how large or small. One concern regarding the GDPR is that it will bring with it an increase in cyber threats and the requests for ransoms. This is especially as the fines which the Information Commissioner’s Office (“ICO”) will be entitled to impose will be much greater than at present.
Some people fear that this will encourage hackers to hold data to ransom, knowing how much it is worth to a business. It is thought they may request a sum which is less than the fine which would be imposed by the ICO as a ransom in order to gain leverage and successfully benefit from the data breach. The intention is that some business may fall into this trap and be tempted to pay the lesser ransom sum, rather than a fine of up to 20 million Euros or 4% of the company’s global turnover; as can be imposed by the ICO.
In the latter part of 2017, it was aired that Uber had been subject to a data breach which it had attempted to cover up. The breach is said to have occurred in 2016 and affected in excess of 57 million customers and drivers. Uber had failed to notify the individuals affected and/ or the regulators and actively looked to conceal the breach by paying a $100,000 ransom to the hackers.
At the time the breach and cover-up was publicised, Uber’s chief executive, Dara Khosrowshahi, said “None of this should have happened, and I will not make excuses for it”. Were any such data breach to occur post 25 May 2018, and attempted cover up, businesses may be looking at experiencing first-hand the ICO’s new power to impose greater monetary sanctions.
What you need to do
Whilst it may be impossible for you to prevent a sophisticated breach of your system, you must put into practice and be able to show that you did everything in your power to protect the personal data that your business controls and processes. So long as you have considered everything you can and have updated your policies to protect your company, should a hacker find a flaw in a robust security system, the ICO would not be looking to impose fines on a well prepared and documented company. Hopefully however, you will not be subject to a data breach at all, either through hacking or lack of appreciation for the new law.
If you should have any queries in respect of Data Protection or your rights and responsibilities in respect of the same, please do not hesitate to contact me on 01908 660966 or alternatively at email@example.com.