Once infected, the malware prevents organisations from accessing their data holdings unless a ransom is paid.
The story is becoming increasingly familiar and with each high profile attack the protection of personal data held by businesses becomes an ever increasing concern. Cybercrime is fuelled by the sheer volume of data now available, and the increasing use of offsite and cloud storage systems has dispersed that data giving criminals many more points to access it.
Faced with such threats, businesses have been encouraged to review their cyber security and upgrade their IT systems. But technology on its own cannot stop a cyber-attack unless the organisation fully understands the data assets that the technology is trying to protect. An effective cyber security strategy requires a legal analysis of an organisation’s whole approach to data protection – how the organisation controls the collection, use and sharing of its data.
Data protection and cyber security are no longer just IT concerns; they are now board level issues.
Do not delay
All businesses located outside the EU who offer goods and services to EU citizens will need to ensure compliance with the EU’s General Data Protection Regulation (GDPR) which comes into effect in May 2018. The GDPR includes requirements for personal data security and, in the event of a data breach, notification to the relevant regulatory authority and any affected individual data subjects.
Comprehensive data protection legislation has also recently been passed in Bermuda and the Cayman Islands. Drafted around a set of EU-style data privacy principles, both laws are expected to come into force during 2018 and will apply to all organisations processing personal data in those jurisdictions.
Organisations operating in offshore centres need to get it right – reputations, large fines (in some cases up to the greater of €20 million or 4% of global annual turnover) and criminal liability are now at stake.
Developing a cyber security compliance plan
At a high level, the steps towards developing an effective compliance plan are as follows:
- What personal data does the business hold and in what format – paper, electronic, tape?
- How was that personal data captured, and for what purposes is it being used and processed by the business?
- Is that personal data being transferred to any other company within the group or to third parties for any purpose? If yes, into which jurisdictions is the data being sent?
- What data protection and cyber security regulatory regimes apply to the organisation’s personal data holdings, considering both the location in or from which the data was collected and the locations where it is being processed?
- Are the organisation’s existing policies and procedures compliant with applicable data protection laws? Where are the gaps?
- In the event of a data breach, are systems in place to ensure that the breach can be quickly identified and the appropriate authorities and any affected data subjects notified?
- Looking to the future, what plans does the business have for processing personal data, having regard to new business lines, new jurisdictions, new technologies, new business models and other opportunities for commercialising its data holdings?
Offshore financial centres represent an attractive target for cyber criminals because of the large and often highly sensitive data holdings being collectively managed by those centres. As organisations increasingly outsource a significant part of their day-to-day operations to external service providers, these transfers also leave them vulnerable to attack. Cyber criminals can easily identify and exploit weak links in the flow of information between the organisation and its external providers.
Data that may have been anonymised or aggregated by an organisation will still require careful handling. The rise of social media and the increase in online public data sources means cyber criminals are now easily able to “re-identify” individuals by combining that information with the anonymised or aggregated datasets.
Transferring data to third parties
In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to third parties. There is no substitute for proper due diligence on the systems, policies and procedures of third party providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider’s controls would also be advisable. Contractual provisions should be put in place between the organisation and the third party service provider to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Use of unauthorised subcontractors by the service provider should be prohibited without the prior approval of the transferor.
Data protection and new technologies
Financial technologies or “FinTech” are emerging technologies that have the potential to supplement or disrupt the offshore financial services industry. FinTech solutions also raise data protection and cyber security concerns that need to be carefully considered before they are adopted.
Blockchain, or distributed ledger technology, is starting to be used to centralise a number of back-office and compliance functions. Designed to keep a permanent, immutable record of all transactions that have taken place, the technology is at odds with the requirement under modern data protection legislation to ensure that all personal data is securely purged once the purpose of use has been fulfilled. As users of the ledgers may be anonymous, there is also the potential for criminal organisations to apply powerful data analytics to these datasets to match data that appears to be clear of personally identifiable information to those which are not, thereby allowing the re-identification of individuals from that data.
The attraction of flexible working has led to a growth in the popularity of “bring-your-own-device” (BYOD) policies. While some organisations are issuing smartphones and tablets for employees, other employees may be using their personal devices for business purposes without approval. Where BYOD is offered, a careful balance needs to be struck between employee satisfaction and protecting personal data. Organisations should put in place a clear BYOD strategy that sets out minimum do’s and don’ts for using a device. Data should be encrypted and the organisation should have the ability to remotely access, monitor and wipe the data and prevent data access from third party apps.
Effective data protection starts with knowing your data, but in the era of mobile devices and cloud computing, identifying the full extent of an organisation’s personal data holdings can be difficult, as the databases are not always clearly marked out as such. A data audit should be conducted to establish a clear view of the data, both proprietary data and client-specific personal data.
Implementing a data protection and cyber security compliance programme involves engagement with the right stakeholders across the organisation. An effective governance regime for approving, overseeing, implementing and reviewing the various policies also needs to be established. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is also recommended.
Compliance training will be required for personnel at all levels, including key external service providers, to emphasise the importance of compliance to the organisation. Serious misconduct should be addressed with appropriate disciplinary action, regardless of seniority. The compliance programme should be reviewed regularly reflecting changes in the law and regulation, changes in the types of data being collected and used, and any changes in the technologies utilised by the organisation.
Protecting personal data is now business critical. Even if monetary losses are not sustained as a result of a cyber-attack, the reputational damage to an organisation following a data breach could be devastating.
At Appleby we offer advice to clients on all aspects of data protection and cyber security compliance, including:
- Privacy impact assessments, which includes a general framework for the organisation to assess privacy impacts due to proposals for organisational, technological or policy change;
- Data collection and capture, including policies concerning the mechanics of collecting consents;
- Advising on the transfer of personal data as part of business merger and acquisition and joint venture activity;
- Structuring cross-border data transfers including as part of shared services and cloud arrangements;
- Human resources management, including policies dealing with job applicant data, retention of and access to employee files, employee monitoring, management of sensitive employee data and the use of external vendors for functions such as payroll and counselling;
- Data subject access, including procedures for assessing and verifying requests and responding to those requests;
- Data analytics, including policies specifying the types of profiling data that may be used, and anonymisation/aggregation principles;
- Responding to data requests from foreign regulators;
- Data breach management, including policies for escalating, containing and remediating breaches and making breach notifications to regulators and affected parties;
- Complaints handling, including complaints from customers, employees and other affected individuals; and
- Data quality management, including procedures for updating and correcting databases and determining if data is to be erased.