So, 2015 was the year of the cyber-attack, with TalkTalk, Ellen Conlin Hair & Beauty and supermarket group Morrisons all experiencing the devastating impact.
The Ellen Conlin attack highlights that businesses of any kind can be targeted by hackers for financial gain. The company that hosted Ellen Conlin’s database had to pay a ransom of 1,000 Bitcoin (about £238,200) to unlock the firm’s appointments database. Meanwhile, Morrisons is now being sued in a class action after a disgruntled employee published personnel records online.
These firms had to decide whether to say nothing, or go public to reassure customers that no personal information had been compromised. As TalkTalk discovered, there are downsides to going public quickly – a potential figure of four million customers whose data was initially thought to be affected turned out to be 157,000. Reputation management can consume management time; solicitors and a PR consultancy may need to be involved.
Statistics show there were 2.5 million cyber-crime incidents from 2014 to 2015 in England and Wales. PwC’s latest report for the year to June 2015 stated that 90 per cent of large businesses and 74 per cent of small businesses surveyed reported a security breach. Claiming “we were the victim” was the approach of TalkTalk after its attack. But it cuts no ice with the Information Commissioner.
Cyber-attacks resulting in the loss of personal data carry another risk – 2015 saw the Court of Appeal make it significantly easier to claim damages under the Data Protection Act. One case decided that compensation may be payable if the data breach has caused simple distress, obviating the need to demonstrate pecuniary loss as well.
How best can you protect your business? Talk to a data protection defence specialist with experience of engaging the Information Commissioner.
• Paul Motion is head of the data protection team at BTO Solicitors