Aman Johal, Lawyer and Director of Your Lawyers, shares the lessons that UK businesses can learn from Chinese ride-hailing company Didi's recent cybersecurity review.
In the latest escalation of Chinese authorities cracking down on its tech sector, one of the biggest ride-hailing services, Didi Chuxing, is now under investigation by the country’s internet regulator. It follows other recent actions from the government aimed at online marketplace Alibaba, and social networks Tencent and Bytedance.
The announcement of a so-called “cybersecurity review” by China’s Cyberspace Administration saw Didi’s shares plummet in the US, two days after its IPO. The review is intended to “safeguard national data security, maintain national security and protect public interest”, and the regulator also rescinded Didi’s ability to accept new registrations. The regulator’s ruling shows the impact perceived cybersecurity risks can have on a business, let alone its consumers. But what are the lessons for British businesses?
The business costs of a cybersecurity threat
The impact of the regulator’s announcement was devastating for Didi and could not have come at a worse time. Just two days earlier, Didi had completed its IPO in New York with a $68bn (£49bn) listing, raising nearly $4.4bn in the process and making it the largest IPO for a Chinese company in the first half of this year. By the time that news of the cybersecurity review had landed, Didi Global’s stock price fell more than 7% in morning trading.
There are parallels for British businesses and harsh lessons to be learned too. In 2018, British Airways suffered a historic data breach, with some 420,000 customers affected, an action for which our firm, Your Lawyers, represents thousands of clients. Initially, the ICO issued a record intention to fine the sum of £183m and, although this was later revised down to just £20m, the airline is due to pay far more substantial costs in compensation claims. Just this week, one settlement was reached for an estimated 40,000 claimants who may be recovering thousands of pounds in compensation each. With plenty of time for more claimants to join the group action, the final cost of the data breach could be astronomical. It’s not just the short-term financial costs of a cybersecurity risk that businesses should be concerned about, but also the long-term reputational damage that can be caused.
Not only have investors got cold feet about Didi, consumers too could turn their backs on businesses who fall short of their responsibilities to protect and use information responsibly. Consumers are increasingly savvy to cybersecurity issues and this could have a huge impact on the ride-hailing service’s success as it plans to launch in Britain within weeks. The reputational issues may damage public perceptions of the brand, causing consumers to avoid Didi and continue to use existing competitors. The long-term financial impact could be far greater than the short-term cost of Didi’s stock price hit, as there can be direct relationships between cybersecurity and competitive advantage.
The legal implications for business and consumers
If found guilty of a data breach or leak, the legal implications for businesses can be significant. A simple breach or leak could expose the data of tens of thousands of people and, if each victim brings forward a claim worth thousands of pounds, the total cost could be astronomical. In the example of the British Airways case, Your Lawyers previously estimated that compensation awards could be in the region of £6,000 for each claimant in some cases, based on current case law. This means the airline could face a potential compensation bill of up to £2.4bn in a worst-case scenario estimation.
The damages per claimant can vary depending on the type of information exposed, the amount of data involved, and the impact it has had on the victim. In a recent review of the overall damages for cases that Your Lawyers has recovered to date, which come to a total of £1m so far, we found that the typical average range can be anywhere from £500 to £15,000. The mean average here was just over £6,000, with cases where psychological trauma has been sustained capable of exceeding £15,000.
Confidential personal data – such as names, billing addresses, email addresses, card payment information, medical details, etc. – can be extremely valuable to criminals. It can be used to defraud victims, and steal identities and money. We have received frequent reports from claimants in the BA case of fraudulent transactions on their accounts, which were exposed to criminal access following the breach, which can be really traumatic for victims to experience.
Organisations that store and process private medical data can be particularly susceptible to paying high compensation fees, because health data is among the most valuable data a cybercriminal can steal. A single health record reportedly costs $250 on the black market, compared to a reported $5.40 for payment card details. Compared to the average claim in the BA data breach case, the most seriously affected claimants in the 56 Dean Street data breach in 2015 could receive damages of up to £30,000, after a leak exposed the contact details of 800 patients using the clinic for HIV services.
Managing and protecting consumer data from cybersecurity risks
The examples of Didi and BA demonstrate the importance for businesses of establishing robust cybersecurity measures and protocols to safeguard the information they hold. First and foremost, organisations must invest in industry-leading cybersecurity software and make use of expert consultation - both internally and externally - for advice and support. Simple cybersecurity procedures such as multi-factor authentication and the use of strong and unique passwords can easily be deployed as crucial methods for preventing attacks. Organisations must also deploy robust backup strategies, as regularly backing up data and storing it in a separate or offline system can help to minimise the impact of a hack.
Crucially, businesses must educate their employees to prevent hackers from gaining access to a system via rudimentary methods using social engineering techniques, phishing attacks, and telephone scams. The initial expense of cybersecurity training could easily negate the significant costs of the financial repercussions and avoid any legal action that may follow a breach.
As Didi has shown, cybersecurity risks can be highly damaging for businesses and their consumers on multiple levels. Preparing a preventative strategy and data management procedures for consumer information can help to avoid a challenging and incredibly costly legal fallout.