Reducing the risk of cyber attacks in the wake of Ashley Madison - a lesson learned
Cyber attacks are on the rise, are becoming increasingly significant and costly for its victims, and are here to stay, write Rafi Azim Khan and Steven Farmer from Pillsbury Law
The wide-reaching and high profile nature of the recent Ashley Madison cyber attack demonstrates just how vulnerable global businesses who have customer data at their core can be, and the human impact these breaches can have.
Recent reports suggest that not even the UK National Crime Agency itself is immune to such attacks, its website having recently been taken down by a DDoS attack in revenge for authorities arresting people for earlier online misdemeanours.
What is clear is that cyber attacks are on the rise, are becoming increasingly significant and costly for its victims, and are here to stay. As the volume of data which businesses store ever increases, the use of mobile devices continues to grow and cyber-villains become ever more sophisticated, it is perhaps of no surprise that we hear about new instances of information theft and data loss on a daily basis.
Critically, given almost all businesses handle data and have an online footprint, nobody is immune and for those who wish to avoid the serious reputational damage, regulator fines and hits to the bottom line associated with a cyber attack, it is clear that a proactive approach to cyber security is now required more than ever. There is therefore certainly no room for complacency when it comes to the risks posed.
Given the range of threats, coupled with the sanctions available to European regulators, what precisely should businesses be doing to reduce their risk profile in the pre- and post-incident environment?
No one size fits all
While many correctly look to the UK Data Protection Act 1998 ("DPA") for guidance on such issues, there is no one-size-fits-all solution to be found here. The DPA requires a risk-based approach to security and requires that organisations take: "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
The measures taken by an organisation will therefore depend largely on the size and nature of a business, the amount of data it processes, and the sensitivity of that data.
But with the best will in the world, however, implementing a comprehensive plan only goes so far and cannot entirely eliminate the risks associated with a security breach. Companies also need a robust plan to consult with and expert resources at the ready, should the worst happen.
A well-developed reactionary plan should ensure that sufficient steps are taken to immediately contain the breach and recover lost data, whilst at the same time providing for a risk assessment to be carried out to consider how serious the damage is or is likely to be.
"Whistleblowing" when attacks occur
The ICO does currently encourage self-reporting of breaches in appropriate circumstances, however, as things stand, there is no strict legal obligation to do so (with some exceptions).
This is set to change, however, following the introduction of the new EU-wide Data Protection Regulation, which is on the horizon. Any company's breach notification policy will therefore need to be prepared or updated with this regulation in mind.
But be careful about rushing to self-report. Approaching the ICO will not always result in a lighter fine or the avoidance of a fine altogether. A premature notification to the ICO and/or to individuals whom a company believes may be affected can cause more harm than good.
There is, more often than not, considerable merit in not "jumping the gun" in terms of notifications to regulators and individuals until the key facts have been established and the extent of the issue is clear. This is a critical phase and having the sounding board of pre-identified counsel who have been through it before can be invaluable.
Cyber breaches can have very real impact on a business' reputation, brand and bottom line. The increasing fines and risk of legal suits as a result also mean it is prudent to seek some expert input and do some key work in advance to prepare. When it comes to cyber security, nothing should be left to chance and companies should not be complacent.
Careful planning and preparations upfront will not only limit damage should a breach occur but can also help avoid or minimise regulatory sanctions, be good for a company's reputation and vastly improve consumer trust and confidence.
Rafi Azim-Khan is Head of Data Privacy, Europe, and Steven Farmer is Counsel at Pillsbury Law.