Several high-profile data security incidents in the last few years have shown the need for legislative oversight in the data security and privacy space. In 2016, the US presidential election and UK referendum on EU membership were beset by data privacy issues involving Facebook and Cambridge Analytica. Data breaches were becoming the domain of primetime news, with many experts anticipating breaches before they happen. Indeed, a search by the virtual private network review service VPNMentor found publicly accessible data from the biometrics, security and identity organization Suprema on its Biostar 2 platform – including data from facial recognition, fingerprints, logs and personal information – exposing the data of millions of people.
In 2018, the General Data Protection Regulation – GDPR – entered into force, and shifted the focus of data privacy onto the rights of the end-user. This was also a turning point for companies on how they would ensure data security and breach management, as GDPR introduced a comprehensive set of rules aimed at solving existing issues, from the requirement to have in place technical and organizational measures to protect personal data, to carrying out data protection impact assessments, and finally to reporting a data breach to the relevant data protection authority and the affected data subjects. Prior data protection legislation was ineffective, as such rules were either lacking, or applied only to certain business sectors, or only in certain countries, which had implemented additional data security rules at their own will.
Cybersecurity assessment and reporting
Following the introduction of GDPR, companies are struggling with compliance, particularly when it comes to assessing the likelihood of a data breach occurring, and the resulting impact of any breach. So organizations are looking at ways to encourage cybersecurity compliance among staff. There is, however, a lack of qualified professionals in the field. The responsibility for interpreting the new guidelines now lies with legal departments, and interdepartmental collaboration is essential.
Under GDPR, certain types of personal data breaches, if they occur, must be reported to the relevant data protection authority. Where the breach presents a high risk, the affected data subjects also need to be informed. However, “risk” is not defined or explained in the articles or notes. Guidance on how to determine the severity of a data breach has been issued by different data protection and cybersecurity authorities, but it could be very difficult to understand how exactly this guidance should be applied to an actual breach. This problem is compounded by the fact that GDPR obliges a company to comply with the notification obligations within 72 hours from the moment a breach is identified.
A data breach must be reported to the relevant data protection authority, such as the UK Information Commissioner’s Office (ICO) or the French Commission Nationale de l’Informatique et des Libertés (CNIL). For instance, where the victims are German, and the company is based in the UK, the data breach needs to be reported to the German authorities (of which there are several) as well as the ICO. An organization’s legal team must be in the room to advise before action is taken. The legal team directs the data breach procedure and advises on reporting matters. Collaboration now takes place between developers, investors, IT security and legal teams to build organizational cyber-resilience programs. These programs ensure an organization has robust cyber-response procedures before an incident occurs, and they are routinely tested (similarly to office fire drills).
In the event of an incident, the legal team takes the procedural lead. When parties discuss a potential cyberthreat in the absence of their legal team, and receive advice that is not protected by legal privilege, it puts an organization at risk of revealing its cybersecurity flaws to law enforcement authorities and claimants seeking damages. For this reason, an organization’s legal representative must be present to coordinate the PR, IT and other departments, as well as third-party service providers, including insurers and forensics, to ensure that the correct procedure is followed. As a result, the risk of litigation and liability can be effectively minimized when staff follow their organization’s cybersecurity programs.
Fully regulated data and company valuation
Prior to the advent of the internet, cybersecurity was mostly limited to intraorganizational issues like local machine hacks. In regulated sectors, including financial services, banking and aviation, there has been a clear need for information security to ensure client and customer data is handled appropriately. Outside regulated sectors, user data and user rights have typically been an afterthought.
Today, data, privacy and security are considerations across all sectors. Organizations are looking at their information security requirements, agreements and systems. This is reflected in contractual setups (such as partnerships and collaboration agreements) through detailed appendices outlining security requirements. Indeed, the ICO handed down heavy fines of GBP180 million and GBP100 million to two multinationals in July 2019 after huge amounts of personal data were hacked and stolen from their databases. Data breaches are costly, and not just through fines and sanctions. The Ponemon 2019 Cost of a Data Breach Report found the average cost of a breach to be USD3.92 million, with an estimated 36% coming from the ensuing loss of business, equivalent to USD1.44 million in revenue. The report also highlighted the average size of a data breach as comprising 25,575 records.
GDPR has resulted in the evolution of cybersecurity approaches to include greater interorganizational collaboration and the accountability of all involved parties towards data security. For instance, clients are less willing to run the risk that a vendor may be confronted with a hack that in turn compromises their data.
These concerns were realized earlier in 2019 when hackers allegedly working for Chinese intelligence breached Norwegian software firm Visma and stole sensitive client data. More recently, in August, web hosting company Hostinger announced that personal data and 14 million client passwords had been stolen following a server attack. Indeed, cybersecurity now influences company valuation. In past years, data protection due diligence in mergers and acquisitions was, in most instances, a checkbox to tick off. Today, it is highly scrutinized and has significant ramifications. High-value IP companies with large databases must be able to prove that data was gathered from end-users in a lawful and compliant manner. Unverified data collection methods risk infecting the shared databases of merging companies and evaporating the parent organization’s value. Consequently, reducing liability and minimizing data protection risk is a high priority for company stakeholders, because organizations cannot risk purchasing a high-risk company, regardless of size and value.
Cybersecurity is now valued more highly than ever. Digital security firm McAfee is preparing for an initial public offering later in 2019, and its owners expect to reach USD8 billion. In the UK, Avast is now one of the most profitable cybersecurity firms in the world after its 2018 stock market listing.
Privacy by design
GDPR requirements and user privacy are now core focuses for organizations and their approach to personal data. Privacy by design is a central component of new projects, products and services, such as in software development, internet-of-things devices, and medical trials. When organizations develop a new product or service, they now consider the privacy requirements from the outset. This includes proving accountability, formalizing specific processes (such as risk assessment, decision-making, and recordkeeping for data protection activities regarding what data is collected), data sources, use, access, and storage.
A holistic approach to cybersecurity
Demand for comprehensive and holistic cybersecurity services is rapidly growing and clients are expecting a one-stop-shop solution for these needs. At DLA Piper, we help clients in all stages of the data protection and cybersecurity lifecycle, from building tailored and tested internal response policies to leading breach response teams during cyberincidents, and handling regulatory investigations and lawsuits.
We have invested heavily in our cybersecurity service offering, which also includes internally developed interactive tools to provide clients value-added services. One of our latest tools is Notify, a data-breach severity-assessment tool. With this, clients can easily ascertain whether a breach must be notified. The tool also generates an assessment report, which can be then presented to the company’s boards or the authorities. Notify was highly commended in this year’s Financial Times Innovative Lawyers Award competition.
Explore the frontier of technology and its place in the future of enterprise at our fourth European technology summit this October.
Visit the European Technology Summit 2019 website for more information and to register your interest.
More on cybersecurity from DLA Piper: