Be prepared and be a cyber boy scout – united we stand, divided we fall
May 2013 | EXPERT BRIEFING | RISK MANAGEMENT
Rapidly becoming a flash-point for privacy campaigners, new cyber proposals on both sides of the Atlantic are due to cause a seismic shift in the legal framework governing the notification of security incidents and information-sharing to limit risk and improve security.
A growing problem
On a national level, in a Landscape Review of the UK’s Cyber Security Strategy in February 2013, the National Audit Office reported that the government in 2010 ranked cyber attacks as one of the top four national risks, alongside international military crises, terrorism, and natural disasters.
When it comes to personal data breaches, according to the Information Commissioner’s Office (ICO) the number of breaches has increased by nearly 10 times in the last five years. This is not widely publicised as currently only ‘public electronic communications service providers’ (PECNPs) (i.e. telcos) have a duty to notify breaches, but a proposal by the EC is calling for increased obligations on organisations and greater transparency surrounding data breaches. In addition, the absence of contractual provisions requiring a supplier to notify a customer in the event of a breach can place an organisation in a difficult position when deciding when and how to notify authorities and its customers.
Data breaches – what effect do they have?
Personal data breaches can be defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A personal data breach can have a major impact on an organisation. Not only does it lead to negative PR and damage to reputation, trust, brand and goodwill, it also affects consumer confidence and, ultimately, share price and investor relations. It is no wonder that companies try to conceal these breaches, but the new regulations specify transparency surrounding such events.
Data breaches affect even the largest organisations. In April 2011, Sony came under scrutiny as it was hacked into and the personal data of thousands of users was leaked. Users were furious that it took six days for them to be notified that their personal details were no longer secure.
In January 2012, the EC published a draft set of Data Protection Regulations (Regulations) to update the existing primary EU Directive which governs data protection law. The aim was to increase the burden on organisations to ensure that personal data is held securely. Due to the nature of the cyber world, most breaches are likely to have a cross-border impact and this has led to the implementation of a single harmonised law across the EU.
New laws – new obligations
Article 31 of the proposed Regulations, which is due to come into force in late 2014 or early 2015, specifies that every personal data breach, in all sectors, must be reported to the relevant supervisor, where feasible, within 72 hours of the data controller having knowledge of the breach (the original draft suggested 24 hours, but this was widely criticised; 72 hours is not much longer, but at least better). In the UK the supervisor will be the Information Commissioner. If notification takes longer than 72 hours then a written explanation will also need to be sent. Further to this, those breaches that are “likely to affect the protection of the personal data or privacy of the individual” must be notified without further delay.
The nature of the notification differs depending on who is notified; a great level of detail is necessary when notifying the authorities. As a minimum, the notification must detail the nature of the breach and the measures taken to mitigate any adverse effects that the breach may have.
The Regulations also introduce potential penalties for data breaches of up to 2 percent of an organisation’s global turnover. With these proposed increased penalties, many companies are investing in improving data security and information assurance prior to the introduction of the Regulations.
These Regulations may seem particularly onerous, especially for smaller companies, however the reality is that Europe is behind the time in protecting personal data. California took the lead in 2003 when it introduced a law regarding data breach notifications. Since then, 46 states have followed suit and the US now has comprehensive laws governing data breaches.
New cyber security rules on both sides of the Atlantic
The proposals that have really riled privacy campaigners, however, are those that were introduced to the US legislature in February 2013. The Cyber Intelligence Sharing and Protection Act (CISPA) received significant resistance from lobbyists, privacy and human rights campaigners and proposes to be a landmark battleground for Congress and the US administration. CISPA is intended to prevent and limit the effect of cyber attacks by facilitating information-sharing about threats and malware with the intelligence community and the Department of Homeland Security.
Facebook withdrew its support for the bill in February after a petition by lobbyists, Demand Progress, directed at CEO Mark Zuckerburg. Microsoft had previously backed away from the bill remarking on the importance of the “voluntary sharing of cyber threat information in a manner that allows us to honour the privacy and security promises we make to our customers”.
The EU is being no less compromising in its approach, having just released a proposal for a new Directive – 2013/0027 (COD)(Cyber Directive). The aim of the proposed Directive is to ensure a high common level of network andinformation security (NIS) across the Union. This means improving the security of the internet, and the privatenetworks and information systems underpinning society andeconomies. The Directive will require member states to cooperate, and require operators ofcritical national infrastructures (CNI), such as energy, transport, and key providers of Information SocietyServices (e-commerce platforms, social networks, such as Facebook and LinkedIn), as well as public administrations, toadopt appropriate steps to manage security risks and report serious incidents to the nationalcompetent authorities.
The new proposals, therefore, cast the net far far wider than the current mandatory telco notification.
The proposed EU Directive has three limbs. First, member states must have in place a minimum level of capabilities by establishing competent authorities for NIS, setting up Computer Emergency Response Teams (CERTs), and adopting national NIS strategies and national NIS cooperation plans. Second, national competent authorities should cooperate within a network to enable secure and effective coordination, including coordinated information exchange as well as detection and response at EU level. Through this network, member states should exchange information and cooperate to counter NIS threats and incidents on the basis of the European NIS cooperation plan. Third, it leverages the existing Framework Directive for electronic communications to ensure that a culture of risk management develops and that information is shared between the private and public sectors.
Companies in the specific critical sectors outlined above, and in public administrations, will be legally bound to assess the risks they face and adopt appropriate and proportionate measures to ensure NIS. These entities will be required to report to the competent authorities any incidents seriously compromising their networks and information.
Some EU countries are ahead of others on this issue. Germany last month introduced a draft IT Security Act in their parliament which, if passed, would introduce minimum IT security standards for critical infrastructures, as well as mandatory reporting obligations.
The UK, however, has expressed concerns, preferring companies to inform each other of breach voluntarily rather than by legal compulsion.
In the recent Commons Public Accounts Committee on UK Cyber Security (March 2013), the extent to which current government initiatives and investment have had positive results was challenged. Yet, witnesses stated that the UK was at the cutting edge of cyber-security and cyber-space governance. However, there was some concern that whilst the UK had a penchant for investing in good advice, it was not so good at promoting it (referring to sites such as Get Safe Online). The Committee heard that IT security was only part of the solution: human behaviour is also a key determining factor. One of the most significant strands to combating the challenges posed by cyber threats is information-sharing. Mark Hughes, Managing Director of Security, BT, pointed out that the Cyber-security Information Sharing Partnership (CISP) may be a formidable means of identifying vulnerabilities and threats before they mature; as part of this exchange, real-time information may be shared. This is crucial.
What should you do now?
There are many steps an organisation can take to manage the impact that the new Regulations will have.
Organisations should have a dedicated Incident Response Team who have procedures in place should a breach occur. With the short timeframes introduced by the Regulations, companies need to have a process in place and those involved should know how to react.
Organisations should review their data protection policies and amend them if necessary. This involves looking at any contracts with contractors as well, to ensure that personal data is safe if it is outsourced at any point. Contracts should also be reviewed for responsibility and, where possible, a company should endeavour to limit its liability for any breach by a contractor or sub-contractor.
Although the new Regulations and Cyber Directive will inevitably encourage companies to be more transparent, there is a concern that other problems may be caused by the implementation of this law, as outlined below.
First, the new Regulations and Cyber Directive may encourage excessive disclosure. For example, due to the time constraints companies may decide to notify all those who have potentially been affected rather than waiting to establish who has actually been affected. This is likely to worry consumers and lead to bad publicity even if it then turns out that some of these individuals have not been affected.
Second, notification will use up resources which could be working to rectify the problem. Fixing the problem should be the priority in these situations.
Third, there will be serious concerns raised by competitors when disclosing potentially sensitive information regarding information assets and confidential information and intellectual property. Careful consideration will need to be taken to ensure sufficient information is disclosed, whilst keeping it secure and limiting the extent to which it may be used and shared. Those who share should also benefit from receipt of reciprocal information. In contrast, those who refuse to do so may be disadvantaged from not being part of the information security inner circle.
Finally, notification will cost money. In austere economic times, companies are looking to keep spending to a minimum but the introduction of the Regulations will undoubtedly force companies to spend more money on protecting the data they hold.
Only time will tell if the Regulations will help manage data breaches or just cause unnecessary worry and costs. Either way, businesses should be prepared and take precautions now to minimise the impact they will have. The landscape is changing on both sides of the pond, and a culture of information-sharing and risk management is soon set to become the norm.
Philip James is a partner and Joint Head of Technology at Pitmans LLP. He can be contacted on +44 (0)207 634 4655 or by email: email@example.com.
© Financier Worldwide