New data rules for an age of hacking and the hacked

Compliant awareness: ’These new pan-European rules are good for citizens and good for businesses’.

In a new legal landscape fines of up to 4 per cent of global turnover, or €20 million, are on the cards if companies fail to comply, reports James Fitzgerald.

In the digital age, information is power. Economic growth is now dependent on data sharing, but many consumers are concerned about how and where their personal details are collected. For some people, the retention of personal privacy has eclipsed more nebulous pursuits, such as self-actualisation or social status, as the ultimate attainment in life.

It is against this backdrop that the European Commission has sought to tighten the rules, under the General Data Protection Regulation (GDPR), due to come into force in May next year.

Nearly 70 per cent of Europeans are concerned about not having complete control over the information they provide online, according to a recent Eurobarometer survey. Seven Europeans out of 10 worry about the potential use that companies may make of the information disclosed, according to the European Commission.

“These new pan-European rules are good for citizens and good for businesses. Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market,” says Věra Jourová, commissioner for Justice, Consumers and Gender Equality.

The GDPR promises to give citizens more control over their data. The rules will make it easier to access your own data; give a right to data portability (between service providers, for example); a clarified “right to be forgotten”; and the right to know when your data has been hacked.

The new rules will require large companies to appoint a “data protection officer” to ensure compliance, with potential fines of up to 4 per cent of global turnover, or €20m.

The regulation, unlike a directive, will be applicable in all EU member states without the need for national implementing legislation. In this way, the Commission aims to harmonise data protection measures.

The GDPR will also bring implications for employers who wish to “profile” potential candidates via their social media presence. According to guidelines published by the Article 29 group of advisory regulators, data collected from a search must be “relevant to the performance of the job”.

In this new legal landscape software packages that track an employee’s activities when working from home will likely be outlawed.

How do you stop hackers? You can’t because there are vulnerabilities created on purpose by the NSA for spying. For them to hack everyone and everything.

The burden of responsibility for data protection is being laid firmly at the door of individuals, SMEs and corporations, but what, if anything, will change in the covert world of government security agencies and the bandit country of hackers?

“If you suffer a breach, and it’s a question of when not if at the moment, and you are holding personal data, and that is leaked or stolen, you are going to be liable for that, because you were holding the information,” says Toby Stephens, a partner at law firm HFW.

The scale and prevalence of ransomware and cyber attacks has grown markedly over the past year, with Britain’s National Health Service among the large groups hit by the global Wannacry hack in May. The attackers demanded payment to regain access to vital medical records, causing operations to be cancelled and ambulances to be diverted at 40 hospital trusts. The private US postal service FedEx and Germany’s rail operator were also affected.

This was followed last month by the “Petya” ransomware attack, which crippled businesses across Europe and America.

A cyber security expert who led a team countering the Petya attack at a major UK bank told that there wasn’t much that could be done to stop breaches of systems – and data.

“How do you stop hackers? You can’t because there are vulnerabilities created on purpose by the NSA (National Security Agency) for spying. For them to hack everyone and everything,” says the source, who wished to remain anonymous.

“Encryption is the same. It’s designed to have a backdoor way through. As soon as you have this you can’t be 100 per cent secure. When you’re anything less than 100 per cent secure you are wide open,” the source  says.

In recent years high profile targets have included Yahoo, Ebay, Sony Pictures, TalkTalk and MySpace, where thousands, and in some cases millions, of customer accounts and emails were accessed by hackers.

“We have had a huge uptick in enquiries following the recent cyber attacks – not just on the [data] regulations, but [companies’] risk and crisis management protocols, their contracts and ensuring they have sufficient insurance coverage to cater for the risk gap in their contracts,” says Mr Stephens.

He says companies of all sizes should take a “risk management” approach to the GDPR rules, whereby they can demonstrate that they have a “proper system to minimise and mitigate” their risk, and a clear understanding of what they will do in an emergency. “If they realise they have been hacked, what are they going to do? How are they going to manage that process with their customers and employees, to minimise their exposure?”

The speed of response to a breach will be a crucial factor in the regulator’s decision to penalise a company, says Mr Stephens, who suggests that the GDPR presents an opportunity for businesses to assess other vulnerabilities in their IT.

“The Petya attack is an example to everyone that they should have a contingency plan in place, as almost every business these days is reliant on IT. Can they switch back to a paper system? No. How are they going to run their business? What’s the reputational fallout going to be if they cannot get back into their systems?”

He cites one client affected by Petya who had “safely stored all of their contingency plans on their system” – and therefore could not access them.

It may be a mistake to believe that it all comes down to technicalities. “Many businesses believe that cyber is all about their technical capabilities. Those, of course, are the ones that are ultimately likely to have the greatest exposure,” says Mr Stephens.

In the contradictory world of data, where privacy increasingly becomes a commodity for both citizens and the security state, companies and individuals must become simultaneously more compliant to the rules and more aware of those who will always seek to break the rules.

Complacency is no longer an option.


Headline image credit: Billion Photos/Shutterstock