In this blog, Philip Ingram explores the upcoming data wars and the fight to protect personal data by various organizations in the UK.
Elizabeth Denham, the UK Information and Privacy Commissioner, has had the daunting task of preparing her office and UK businesses for GDPR within a wider Brexit framework. Whilst she has her own team providing legal advice, many legal firms and traditionally cyber consultancies have launched themselves into the data protection arena given the huge fines non-compliance with GDPR could see (up to 4% of global annual turnover or €20 Million, whichever is the larger).
We know how cyberspace has grown and is touching all aspects of our lives. We are being constantly told of cyber-attacks and our personal data being stolen, we are now seeing social media companies being talked about in the UK Parliament and accused of misusing their customer’s personal data. All of this is leading to another huge area of growth. That is the area of ‘cyber litigation.’
The straw(s) that broke the camel’s back
The fight against personal data protection came to the fore with cases like the Facebook and Cambridge Analytica scandal where Dr. Aleksandr Kogan, an academic at the University of Cambridge, used a personality quiz to harvest up to 87 million Facebook users’ details. An element of the data was then shared with the political consultancy Cambridge Analytica and this was used to target political advertising in the US.
The UK Information Commissioner’s Office (ICO) fined Facebook £500,000 over the incident as it had happened before the new GDPR rules came into place. During the course of its investigation, the ICO analyzed 700 terabytes of data, equivalent to 52 billion pages. However, Facebook is appealing the fine as they say there was no evidence of data from UK users had been mishandled.
This is one of a number of pre-GDPR fines we have seen this year. At the end of November, the ICO announced a fine of £385,000 against Uber’s European arm relating to a breach going back to 2016 when records for 35 million users worldwide and 3.7 million drivers were lost. The maximum fine before GDPR is £500,000.
The mistake Uber had made was not to disclose the attack and for them to comply with the hackers’ demands and pay a $100,000 ‘bug bounty,’ which the ICO described as, ‘fundamentally different from legitimate bug bounty recipients’ since they had malicious intentions.
What is a data breach?
Given the potential for huge rises in fines. The ICO has put a lot of effort into their website as the go-to place for all information regarding GDPR, data protection and more. Of course that is the place to go to when looking to answer the question ‘what is a data breach?’
A data breach applies to what is called ‘personal data’ but has a few more layers. It can be broadly defined as ‘a security incident that has affected the confidentiality, integrity or availability of personal data.’ A personal data breach thus occurs whenever any personal data is lost, destroyed, corrupted, disclosed or made unavailable, for example, when it has been encrypted by ransomware.
Once a breach as defined above has been identified, an organisation is required to report it to the relevant supervisory authorities. This has to be done within 72 hours of becoming aware of the breach. In addition, if there is a high risk of individuals’ rights and freedoms being adversely affected then they must be informed without delay – it was in this matter where Uber faltered.
What is interesting is that organisations are listening; it is early days but since GDPR was implemented, according to the ICO’s statistics on data breach reporting, the number of data breaches being reported in the UK have gone up four fold. This doesn’t mean there is an increase in breaches, just an increase in reporting, now that it has become mandatory. That increasing trend is expected to continue as more companies become GDPR-aware.
Major data breaches in 2018
Recently in a debate, four Queen’s Counsel Barristers from the Cyber Specialist law firm 36 Commercial concluded that GDPR litigation is likely to increase dramatically because of the precedent set in the High Court over the leak of customer data from the British Supermarket chain Morrisons by a convicted employee. Morrisons as a company was still held responsible and could be subject to a class action suit from customers whose data was stolen.
Data breaches continue even after companies have prepared for GDPR. In September, British Airways admitted to a breach (carried out over several days) of 380,000 booking transactions where passengers’ personal data including credit card and passport details were stolen in a sophisticated attack.
Only this month have we heard of the Marriott Hotel group’s reservation system being hacked and up to a possible 500 million records being stolen. The immediate consequence was a 6% drop in stock value and various commentators are anticipating heavy GDPR fines dished on the hospitality industry stalwart.
The UK’s ICO has real challenges ahead, but their approach is not designed to punish first and foremost. Instead, they will opt to ‘encourage’ best practice and a change in attitude. That overhaul will be to recognise personal data is not owned by the company but that it is merely on loan and must be protected and processed correctly.
To date the ICO has registered many wins, taking ‘71 actions’ this year; not all of them were against commercial companies and not all of them involved fines. Even though we have yet to see the full force of GDPR being brought to bear, it is clear that no one is exempt.
Moving forward, Elizabeth Denham’s organisation will now be involved in examining the impact of the Marriott hotel chain breach and organisations will be collectively holding their breath for the first GDPR fines. However, the impact of data breaches is not just a potential GDPR fine but also a company’s reputation, its share price and the personal vulnerability of board members.