By Graeme Newman, Chief Innovation Officer
Only a few weeks ago, it emerged that popular high-street retailer Sports Direct had suffered a cyberattack, resulting in the names, emails, postal addresses and phone numbers of some 30,000 staff members being stolen. Yet, whilst internal systems detected the intrusion in September, the incident wasn’t officially reported to the Information Commissioner’s Office (ICO) until December, and even then, the staff whose details had been stolen weren’t notified until the attack became mainstream news very recently.
Failure to notify in this case didn’t technically break any rules, but this is all set to change once the General Data Protection Regulation (GDPR) comes into force in May next year. When that happens, companies will be faced with a mandatory reporting regime with only a 72 hour window to inform the ICO, and, if the breach is considered to pose a high risk to the individuals concerned, they will also have to be notified. The consequences for failing to do so will be significant – up to €10 million or 2% of global turnover in fines if these notifications are made late.
So what are the likely impacts on UK businesses and their approach towards cyber security as a result of this upcoming change in the law? It is hoped that in the long term, increased transparency will lead to better security as businesses try and avoid the embarrassment of public disclosure. In the short-term, by forcing notification, individuals who’ve had their data compromised will be able to take specific measures to reduce their risk of identity theft and hopefully make this form of crime less attractive to commit in the first place.
However, there is a downside to these new regulations. Data breaches are far more common than you might think and dealing with them can be very expensive. IT security forensic consultants often charge in excess of £400 an hour to identify and quantify the scope of a breach and the cost of notifying individuals can be in excess of £10 per individual depending on the form of identity theft protection product a business chooses to offer. All of this adds a significant burden to UK businesses, many of which are significantly behind their US equivalents in terms of cyber security maturity.
All of this may explain why a much higher percentage of US businesses acquire cyber insurance than those in the UK; data breach notification regulations have existed in the US for more than ten years and approximately 25% of companies now buy some form of cyber insurance, which can help absorb the high costs of investigations and notification. With the GDPR regulations now on the horizon and it being increasingly easy to find affordable cyber insurance products in the UK, there’s never been a better time for businesses to consider investing in this type of protection.