Ashley Madison, a site encouraging extra-marital affairs, recently suffered a data security breach by hacker group “Impact Team” which led to several gigabytes of data including names, payment details, emails and even the website’s source code being leaked.
Advances in technology have enabled all of us to collect, learn and share information about each other more quickly than ever before. Businesses now have advanced tools available to store and protect vast amounts of customer data. But hackers also have increasingly sophisticated methods of gaining unauthorised access to this data. And so begins a digital game of cat and mouse. Cyberattacks are more common than many realise, and readers may already be aware of high profile cyberattacks that affected JP Morgan Chase, Target, Home Depot and Sony Pictures. The scale of the problem is indicated by the Department for Business, Innovation and Skills (“BIS”) reporting that 81% of large corporations and 60% of small businesses reported a cyber breach in 2014.
The consequences of a data breach can be severe. BIS reported that the cost of breaches nearly doubled in 2013/14, with the average cost for the worst cyber-security breach in a year estimated between £600,000 to £1.15 million for large businesses and £65,000 to £115,000 for smaller ones. Such costs may not be backed off to a business’ insurance.
In the Ashley Madison case, the media exposure has been astounding. There has been irreparable damage to Ashley Madison’s goodwill as well as two suicides linked to the data leak. A google search for “Ashley Madison suicides”, for example, now returns just under 18 million results. Not a position any business wants to find itself in.
In the UK, a breach of data protection law can lead to a £500,000 fine from the Information Commissioner’s Office (“ICO”), the UK regulator for data protection. This is likely to significantly increase in the next few years when the General Data Protection Regulation is implemented and there is also the possibility of civil claims from aggrieved data subjects.
One of the many issues which flows from the Ashley Madison data breach is whether anything could have been done to prevent the breach in the first place, or at least limit its impact.
With this in mind, keeping information secure is a cornerstone of data protection legislation in the UK. Monetary penalty notices overwhelmingly relate to the 7th data protection principle, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data (“7th DPP”). That said, there is no “one size fits all” solution when it comes to information security.
Whilst implementing a robust data protection policy does not often find itself towards the top of a business’ to-do list, a robust data protection policy and cybersecurity strategy, as well as effective implementation of the 7th DPP can help to reduce the likelihood of a breach in the first place and go a significant way towards minimising the impact.
Amongst other aspects, a well crafted data protection policy will explain what data is being handled, who is allowed to access that data and which processes are being applied to that data. The process of implementing a data protection policy can also prove valuable in itself because it can act as a catalyst for a more general review of data protection practices, by leading business to ask the following questions:
Asking these questions is key as failure to encrypt information in accordance with and otherwise adhere to the 7th DPP, for example, is an aggravating factor when the ICO is considering enforcement action.
Given the sophistication of recent cyberattacks and the ease with which an employee’s mistake can lead to customer data being distributed (for a recent example see: Soho sexual health clinic errantly discloses names of 780 HIV positive patients), businesses need to be aware that data privacy matters, have strong cybersecurity measures in place and take data security seriously. Implementing an effective data protection policy and keeping it under regular review can be a valuable tool to a business’ cyber defences, helping to ensure it is in a better position possible to minimise the impact of any attempted cyber-attack or data breach.
Authors: James Eley and Noor Al Naeme
Noor Al Naeme is a Solicitor (qualified in Scotland) and James Boyle is a Trainee Solicitor in Michelmores’ Technology, Media & Communications team.