The summer of 2018 will be remembered for its record-breaking heatwave, England reaching the semi-finals of the World Cup and, for professionals in almost all areas of business, the long-awaited adoption of the General Data Protection Regulation (GDPR) across the EU. In the space of just a few short months, cybersecurity has gone from a tick-box exercise, somewhat far down the list of competing priorities faced by every business, to fighting for pole position amid swirling tabloid headlines warning of huge fines and plummeting share prices for organisations who suffer a data breach.
At the time of writing, the UK has seen 1,750 data breaches self-reported to the ICO (Information Commissioner’s Office) in June alone under the GDPR requirement to report qualifying data breaches within 72 hours of discovery. This compares with a total of 1,500 reported in the months of March, April and May. Data breaches are clearly nothing new – rising consumer awareness means we can all reach for high-profile examples including Tesco Bank, TalkTalk, Dixons Carphone and more – but the requirement to notify the ICO and the general public at large is new, and comes with serious implications.
According to an SAS study, more than half of UK consumers are expected to exercise their GDPR rights within a year and almost two-thirds will retract or review data use solely because of the Facebook-Cambridge Analytica scandal. The study shows UK consumers treat data-sharing as a matter of trust and have a low tolerance for data mistakes or misuse. Almost half (45%) said they would activate their data rights after only one mistake.
But data rights is the tip of the iceberg. A devastating 2016 cyberattack cost TalkTalk £60m, as well as the loss of 101,000 customers. In an attempt to restore their brand image, they also offered almost half a million customers a free upgrade and had to close down its online sales operations thanks to consumer fears over poor security. Pre-tax profits fell by more than half, from £32m to just £14m, and in January 2018, analysts valued the business at just over £1.1bn, down from a peak of over £4bn in 2015.
highest profile data breaches...
Uber concealed a hack that affected 57 million customers and drivers worldwide and 2.7 million users in the UK, the company has confirmed.
An enormous data breach which took place in July 2017, with access to an estimated 1.2 million customer records containing personal data
A data breach affecting 380,000 transactions, involving stolen personal and financial information, but not passport or flight details.
Global information solutions company, Equifax, reported a major cybersecurity incident affecting 694,000 UK of 143 million compromised customers.
The London-based private healthcare group, Bupa suffered a data breach affecting 500,000 customers on its international health insurance plan.
Tesco Bank, the consumer finance wing of the British supermarket giant, froze its online operations, after as many as 20,000 customers had money stolen from their accounts.
This is the important bit...
The GDPR states that in the event of a data breach, the Controller need not to notify data subjects if data is encrypted and rendered unintelligible to any person accessing it, thereby removing notification costs to the organisations and reducing reputational risk.
The communication to the data subject ... shall not be required if... data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption ... -- Article 34 of GDPR
Post GDPR, however, this picture would be even worse. Once reported to the ICO, within three days, a 4% fine of annual revenue would see them hit with a £71m penalty (on 2016-17 revenues of £1.78bn), dragging investor confidence down even further, and the heightened media awareness around cyber attacks, data breaches and data subject rights would almost certainly inflict reputational damage greater than that which TalkTalk suffered in 2016.
On top of any technology professional’s nightmare scenarios around malicious data misuse post-breach, you’ve now got to consider how to disclose every last detail of your own scandal before you’ve even had time to let the news sink in yourself. As the impact of that public notification settles in and everyone starts looking for a convenient scapegoat, you’ll have to face the board as share prices tumble, your contact centres are flooded with calls, your website crashes and you’re trending on social media for all the wrong reasons.
Unfortunately for most CIOs, the recognition they’ll get for preventing that problem is insignificant to the stick they’ll get for not preventing it, especially if they were aware of a way to prevent it beforehand.
There exists a simple fix - it doesn’t solve all of your GDPR issues, but it might just act as a convenient ‘Get Out Of Jail Free’ card.
If your data is encrypted, so that any breach will result in unintelligible data, then you may not be required to notify the ICO. Of course, encrypting your database may seem like another load of work that’s going to have wide and unforeseen implications, but if you’re using Oracle Cloud or Azure (or both) then there are some simple ways of achieving the right level of encryption easily, even when you’ve got a complex environment to protect.
In order to understand your data security vulnerabilities we offer a discreet 'Security Assessment Service' that will:
Find out more about our industry leading security assessment service.