Liam McMonagle: Tackling the new breed of hackers
You may remember that the second film presented a dystopian 2015. Biff, the villain, had combined time travel with betting on future sporting events. He was using an almanac from the future, won every time, and became fantastically rich.
Of course we don’t need 1980s Hollywood to know the value of secret or private information. TalkTalk was in full crisis-management mode after suffering a serious cyber attack at the end of last week.
It was the latest in a long line of security breaches, high-profile hackings and attacks on the systems and networks of large and small organisations. The consequences of a security breach – commercial, legal and reputational – can be immense.
Ironically, as security tightens in the business world, we are all encouraged to share more and more about ourselves, particularly via social media, which increases the information potentially available to those with malicious intent.
Most of the regulation in this area relates to personal information and centres on the Data Protection Act 1998. This requires “appropriate technical and organisational measures” against “unauthorised or unlawful processing of personal data” and “accidental loss or destruction of, or damage to, personal data”. Properly-drafted contracts will require businesses to meet this standard, and liability for breach is commonly identified as a key risk in project management and legal agreements involving the transfer or use of personal data.
Over the years, there has also been a changing perception of what “adequate measures” are. A variety of industry standards and recognised good practices have developed and, with time, have become more onerous. Significant fines for security breaches have been imposed by regulators, while security breaches are no longer seen as a matter of hard luck or victimisation. Such attacks are now seen as events businesses are expected to prevent, while business is booming for companies who specialise in challenging, testing and identifying weaknesses in the security procedures of their clients.
More is on the way. While not yet finalised, it is likely the new Data Protection Regulation will raise standards again. It seems likely the new regulation will extend responsibilities to safeguard and protect personal information. It will significantly increase the scale of fines which can be imposed – measured in percentage points of a company’s turnover rather than the current limit of £500,000.
The reforms also include proposals to make service providers, who until now have been “data processors” responsible only to their customers, directly accountable at law. Businesses with any significant data processing requirements could be required to appoint data protection officers in quasi-independent governance roles.
As the car industry made cars more and more difficult to break into, thieves adapted by breaking into houses to steal keys. In the digital world, a password and other account identifiers are like keys.
It’s never been more important for businesses to consider these risks. Hackers aren’t all teams of geeks working in dark cellars on massive one-offs like a scene in The Matrix. They don’t all depend on technology: many can exploit observed weaknesses in systems and processes. An odd email that looks like it’s from a senior executive in the organisation. A call from IT implementing a password reset. An unencrypted laptop left in a pub or some papers left in a car boot. Using a personal account during a system outage to send a business email.
Any of these things could trigger a security breach. Would your systems prevent it?
Liam McMonagle is a partner in the intellectual property, technology and media team at Thorntons and is qualified in Scots and English law