How to avoid data breaches in 2018, by learning lessons from 2017
Two key moments in data protection history from 2017 that can be used as a herald for what may be in store for 2018. The cyber security incident that made everyone Wannacry (cheesy…I know!), and the fact that as of 25th December 2017 there were exactly 6 months to go before the new EU General Data Protection Regulation (EU GDPR) applies. Making 2017 one of the most challenging yet interesting years from a data protection and privacy perspective.
1. How WannaCry changed the worlds view of cyber security
The moment when the WannaCry ransomware attack brought to the attention of the world just how potent and tangible the impact of cyber security threats can be. Hospitals were forced to stop surgeries/close, businesses lost revenue etc. Some of the world’s most respected institutions and businesses were thrown into the spotlight, owing to the inadequacy of the cyber security controls they had (and quite possibly in some instances, still have) in place to protect themselves and their service users from cyber security threats.
For many of these institutions – the issue was not one of not knowing the risks that cyber security threats pose, the issue was one of not doing enough to proactively mitigate the risks. It is probably fair to be said that for some it is not for want of trying. Overcoming complex cyber security challenges can require significant resources. Resources which are for many either non-existent or increasingly restrained. For all, it highlights the need to do whatever you can to mitigate against future cyber security threats. Data protection supervisory authorities like the UK’s Information Commissioners Office, have never and will never tolerate ignorance as an excuse.
What lessons can we learn from WannaCry?
Quite simple. Be on the ready for increasingly threatening cyber security attacks in 2018!
High-level cyber security tips include:
- providing your staff with more cyber security threat training and guidance
- conducting routine penetration tests and cyber security vulnerability scans – implementing any necessary mitigating controls
- recording and risk assessing your critical information assets and data flows
- persistently monitoring your networks and activity logs for unusual activity
- keeping security patches up to date
- prioritising any upgrades to or migrations from less secure platforms
- staging cyber security attacks to test your business continuity plans and staff responses
You should also consider becoming accredited with a recognised security best practice standard like Cyber Essentials, Cyber Essentials Plus and/or ISO 27001:2013 (both of the latter being more suited to organisations that process special categories of personal data (e.g. data which reveal information about a person’s health, social, political, religious or sexual status), and/or high volumes of otherwise valuable or sensitive data. Not only can these standards provide your customers, partners and key-stakeholders with confidence that you are doing your best to protect personal data from cyber security threats, it can serve as evidence of best practice in your defence against data protection supervisory enforcement action, and/or legal claims.
2. How organisations got their knickers in a EU GDPR/Brexit twist
The subject line refers to the #oh_sh1t moment which took place in 2017 for most digital business leaders around the globe, when they realised just how profound an impact the EU GDPR may have on their business in 2018. For many UK-based organisations that process data belonging to EU citizens, the #oh_sh1t moment became a #WTF one when the penny dropped that EU GDPR will still impact their business despite Brexit – read this Linkedin post about EU GDPR and Brexit to learn why. My guess is that those that voted for Brexit will be particularly thrilled!
Not by coincidence, 2017 was also the year that the UK Parliament published a new Data Protection Bill. A Bill which is in effect the UK’s, unsurprisingly almost mirrored response to EU GDPR. In order to compete in the EU’s multi-billion Euro single digital market, the UK (and its digital businesses) has little choice other than to demonstrate (as it does at present) that UK data protection laws are deemed to be adequate by European data protection supervisory authorities.
All at a time when all EU eyes are on the UK in light of Brexit, the last thing the UK would need when trying to enter into negotiations with EU counterparts would be an inadequacy decision from the EU’s Data Protection Supervisory Authority. The knock-on effect of which would be to make it much more difficult for UK businesses to process data belonging to EU citizens. The UK is not alone in its worry. The USA and US businesses for example face their own EU GDPR challenge, given the fact that the EU does not at present consider US data protection laws to be adequate.
More key data protection lessons from the recent past
The following list of headlines briefly summaries iconic moments (some serious and some amusing) in data protection history from 2017 that will provide you with a snapshot of other key data protection lessons to be learned for 2018.
- People often have justifiable concerns about the privacy of their data
- Organisations are becoming increasingly fearful of class action data protection lawsuits
- Tech firms should expect increased scrutiny from data protection supervisory authorities
- Users of internet connected devices can expect more of their data to be the subject of privacy breaches
- Organisations process far more data about people than they often realise
- If online dating is your thing, and you don’t want your secrets leaked be sure to use an online data service with up to date anti-virus!
- Never take what you have for granted and like Bob Marley said – stand-up for your rights!
- Seek evidenced based assurance from third party processors in countries that do not have adequate data protection regimes in place
- To avoid shock, always read terms and conditions including privacy notices
- Update your organisations privacy notice in light of EU GDPR (which reminds me I must get around to finalising the revision of ours)
Article written by Michael Abtar, LLB (Hons), PgDip.Law, IG Smart CEO & Principal Consultant