On Thursday 9th May 2019, W Legal and Fidelis Cybersecurity met with a group of clients and contacts to explore the new risks and frontiers of Data Privacy and Data Protection. Guests included bankers, compliance and regulatory officers from various large financial institutions in the City, joined by a leading professor of Cyber Security at one of London’s leading academic institutions.
Fidelis Cybersecurity has considerable expertise derived from their work with military and commercial organisations in the USA. They have a growing presence in the UK and Europe which is often of great assistance to organisations here in preventing, detecting and dealing with cyber threats and data breaches. Professor Chris Hankin, Co-Director of the Institute for Security Science, Imperial College, London, kindly gave an insight into some of the initiatives and research he and his team have been working on linked to high-level communications and cyber security, data analytics and semantics-based program analysis.
Both Fidelis and Professor Hankin provided guests with plenty of key insights in IT and security risks relevant to the corporate sector. David Ellis, a compliance and regulatory consultant barrister with W Legal, addressed new regulation, legislation and governance imperatives. Raphael Uribe, another member of the W Legal cyber team, with a background in French municipal data privacy, addressed key lessons from a number of legal cases.
Andrew Bushby, Fidelis Cybersecurity’s UK Director, explored the range of cyber threats and the varying responses to each of them. David presented on current cyber regulation such as the GDPR and the ePrivacy Regulation.
Case studies gave real life examples of data loss and breaches, highlighted the kinds of responses that organisations should have in place and identified the potential liabilities for firms and their directors arising from data breaches and the subsequent loss of data. In one such case in 2018, the ICO fined the Crown Prosecution Service (CPS) for losing data and being negligent in its data handling. This case study exemplified the importance for organisations to take stock of their hardware and systems and put procedures in place to ensure that hardware and devices are not mislaid through negligence or by poor security and lack of governance procedures. A second case study concerned an employee of supermarket chain, Morrisons, who, acting out of malice, had intentionally breached company policy by releasing employees’ personal data online. The company was held liable even though the employee acted wrongly and outside of his specified duties. This case illustrated how important it is for a company to know who has access to what data and to limit the potential damage from disaffected internal attackers. The final case study was that of the Canadian web introduction service, Ashley Madison, which facilitated dating. This case involved an external group of hackers who breached a company’s data servers stealing subscribers’ highly sensitive and embarrassing personal information. The attack was launched by so-called ‘hacktivists’ who were distressed by what they considered to be the website’s nefarious objectives. The case study demonstrated that organisations should have a clear plan of action so that they are always capable of responding rapidly in the event of a data breach. The website was liable to pay damages to a large number of users and was exposed for the social and personal damage the website was said to have caused.
Four key takeaway points for guests were to:
1) Take cybersecurity seriously. Large multinational corporations are at an ever-increasing risk of being breached and their cybersecurity is crucial to protect their data. SMEs too are being threatened directly or collaterally and are at no less of a risk.
2) Carry out a careful data audit to understand and map where data is located in your organisation and educate yourself about cybersecurity. As cyber-attacks and data breaches are evolving, it is vital that any professional who handles data understands the new risks and challenges these attacks and breaches pose.
3) Have a plan prepared and train staff. Every organisation should develop and implement a cybersecurity strategy and focus comprehensively on their personnel, policies and procedures.
4) Understand the potential liabilities in terms of regulatory fines, sanctions and liabilities that your organisation could face and how best to manage these situations and limit the potential for damage.