Rumour has it, some hackers are approaching businesses with a new excuse to pay out: ‘Our ransom will cost you less than GDPR fines for being hacked’. For businesses trying their best to stay compliant and respect their clients’ privacy, this is terrifying. Below Matt Shepherd, Head of Data Strategy at BBH London, discusses with Lawyer Monthly.
Like bank robbery, data hacks, ransomware and cyber-attacks are already against the law. So, in the same way that a bank robber is unlikely to be put off by the sentence they will receive if they get caught, hackers are unlikely to see GDPR as a deterrent to their “work”.
The behavioural and attitudinal differences between the two felonies are stark. Bank robberies require guts, but little skill. Hackers are clever, but thanks to the cover of the dark web and encryption they are spineless in comparison. The capture/conviction rate is vastly different too, cyber-attacks are “untraceable” compared to a “good old” bank robbery. So GDPR is unlikely to affect the conviction rates for data hacks and cyber-related crime.
It is unlikely that the hacking rate will increase in a post-GDPR world. However, thanks to the new regulations, data breaches are likely to become more widely publicised. GDPR regulations will require that data breaches are disclosed within 72 hours of being discovered. This means that recent examples, such as Equifax's slow disclosure of a large data hack won’t wash with the ICO. And post-May, the new rules will increase the chances of incurring large fines if you try to brush a breach under the carpet.
It is worth noting at this point that being hacked isn't going to automatically incur a fine - a data breach is not a violation of GDPR itself. However, a breach caused by inadequate IT-security is highly likely to be subject to GDPR fines. Therefore, companies will need to ensure that they have followed due process to protect and inform customers in the unfortunate event of a hack.
Personal data poorly stored and leaked or hacked is a violation of GDPR, so organisations must improve data management and protection processes to ensure compliance with the new regulations. These improvements, in theory, will decrease the risk of a data breach, whether accidental or due to a cyber-attack.
So if you haven't started already, now is the time to ensure that your data architecting as well as IT security is compliant. Internal education to remove sensitive data from random areas of the business is just as important as sorting out the bigger IT infrastructure issues.
The number of robberies on British bank branches dropped by 90% between 2001 & 2011. This wasn't due to the increasing number that have been turned into coffee shops, or even heavier sentences, but rather a raft of innovative technologies that made it extremely difficult for "traditional" robbery tactics to work. Anyone trying to rob a bank now faces much better CCTV, protective screens that can rise in less than a second and special smoke screens designed to confuse and disperse criminals.
The increased precautions we are all taking with customer data are thanks in part to GDPR, and will mean that longer term there are likely to be fewer breaches. Like the banks, we will use technology and GDPR best practice to comply, and more importantly, protect customers. But don’t let complacency set in, the hackers will keep improving their skills at a similar rate to the good guys.
There is one final watch out. It is likely that the increased publicity around GDPR will lead to it becoming a ransomware and phishing topic, potentially making customers more susceptible to attacks. Cybercriminals will use GDPR as a social engineering tactic in the same way they try to obtain a response to fake fraud communications posing as your bank.
The regulations will help make all our data safer in the future, but the hackers are still going to hack. There will still be a similar number of breaches post-GDPR, but thanks to more press coverage with headline-grabbing fines, we are going to hear more about them giving the perception that hacking is getting worse.
That is not necessarily a bad thing, the quicker the public find out, the faster they can act to protect their data. We need to ensure that we build trust, transparency and joint accountability with customers to ensure that the volume of data hacks doesn't increase in a post-GDPR world.