Cyber crime is not a fictional concept
Cyber crime is not a fictional concept
Cyber crime is not a fictional concept; it is a very real problem. Last year the cost of global cyber crime was estimated to be USD388bn1 – with an individual falling victim to a form of online crime every 19 seconds.
In today’s multi-channel, mobile and inter-connected world, every element of society including government, industry, commerce, charity, health, education and individual citizens is increasingly at risk as more and more sensitive data is stored on a computer system somewhere in the world. The risks are constantly evolving as technology develops, and they are likely to become more acute as a new generation of smartphones effectively become mobile wallets, which will place ever greater volumes of personal and financial data at risk.
Threat is growing
Criminals looking to steal and exploit data for financial gain are in an increasingly strong position. Not only does new technology and growing access to that technology provide ever more opportunity, but governments and private enterprises are aware that they can no longer keep quiet about data leaks and malicious attacks on their IT systems. While it is good to keep the public informed, any release of information on the nature and extent of cyber attacks and how to prevent them also educates the fraudsters and raises the threat level further.
Three key causes of loss:
As severity and frequency rise, risk managers and finance directors are realising that they need to develop a greater understanding of how to predict and prevent data breaches. According to NetDiligence’s recent study of cyber and data breach2 insurance claims published in June 2011, the reasons for data loss break down into three main areas.
• Hackers and criminals were responsible for 32% of breach events
• Rogue employees were the cause of 19% of data breaches – and the poor economic climate is expected to exacerbate this problem going forward
• Theft of mobile computer equipment such as laptops and memory sticks carrying unencrypted data was responsible for 33% of breaches
Insurance market is responding:
As the frequency and severity of cyber data risk increases, so the insurance world is becoming more concerned about the financial risks associated with a data breach and cyber crime. There is a growing insurance market for both first and third party data liability business, and also first party business interruption cover. These products and covers are likely to continue to develop over the coming years.
London is a pre-eminent market for this business due to high levels of innovation and its ability to provide specialist and tailored cover. We expect that the introduction of mandatory reporting of data breaches for companies handling EU citizen’s data inside or outside Europe will significantly speed up the rate of new product development in 2012 and beyond.
Data privacy is the top emerging risk for the 21st century:
In our opinion data privacy is, and will continue to be, the biggest emerging risk for businesses in the 21st century. Any company that does not put appropriate risk management and mitigation measures in place to deal with a potential data breach will suffer significant financial loss and irreversible damage to their brand reputation. However, companies that do plan for a breach, have robust risk management measures and systems in place and respond in a responsible and appropriate manner can emerge from a data breach incident relatively unscathed. Insurance can provide essential financial assistance and access to highly experienced legal, IT forensic and crisis PR advice – which can help companies preserve reputation and get back to trading as rapidly as possible.
Earlier this year the Sony Corporation discovered that 77 million PlayStation network and Qriocity user names, email addresses, phone numbers and – reportedly – credit card details had been maliciously breached. The first breach was followed shortly after by a second breach of the personal details of its 24.6 million Sony Online Entertainment customers.
The breaches resulted in a 23-day closure of the PlayStation online network, and Sony has suffered significant financial loss to an estimated tune of USD171m. This estimate cost does not include any lawsuits that Sony will have to defend as a result of class actions being filed against the Corporation by affected customers. The costs do however, include the cost of notifying and assisting customers, IT forensic costs and system overhaul as well as reputation management. The Sony brand and share price took a significant battering dropping 55% in just four months as a result of the breach and resulting negative publicity.
- Estimated financial loss: USD171m
- 55% drop in share value in four months post the breach
- 23-day shutdown of the PlayStation online network
Data protection rules impact EU businesses
European Commissioner Viviane Reding has set out her proposals for a new directive and regulations on privacy. The rules would apply to any company handling EU citizens’ data inside or outside Europe.
The proposals include the following:
- A fine of up to 2% of global annual turnover if companies breach proposed EU data laws.
- A fine of up to 0.5% of global turnover for companies that charge a user for a data request.
- A fine of 1% of global turnover if a company refuses to hand over data or fails to correct wrong information.
- Administrative sanctions of up to €1 million for individuals.
- The right for users to be “forgotten" and their personal information deleted if there are no “legitimate grounds” for it to be kept.
- An obligation on organisations to report data breaches to the regulator "as soon as possible" – ideally within 24 hours.
- An obligation where the breach is likely to have an adverse impact, to notify the customers “without undue delay”.
- A right for individuals to take companies to court that fail to comply with the new directive.
- A requirement that organisations explicitly ask for permission to process data, rather than assume it.
- Companies with 250 or more employees will have to appoint a data protection officer.
- Companies handling EU personal data that do not have a presence will have to establish an EU representative in a Member State where their customers live.
The proposed directive and accompanying regulations will result in harmonisation across Europe, simplifying the current patchwork of 27 different national laws. The rules will need to be approved by the EU's member states and ratified by the European Parliament before they can come into effect, a process which could take two or more years, during which time they may be subject to amendment.
Ms Reding stated that the regulations “will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.” The proposed directive is intended, she said, to safeguard privacy and reduce the administrative burden to businesses, leading to a reduction of around €2.3 billion each year in administrative costs.
Lockton believes that compliance with the directive will undoubtedly drive up risk management efforts and associated costs however. In the US, where similar legislation has been in place for some time, the costs of dealing with a data privacy breach are around seven times higher than in Europe.
Key issues to be resolved
Although consumers have a right to ask for data to be deleted, the directive as it stands does not provide clarity on what constitutes personalised data. Instead it defines it broadly as potentially including a name, a photograph, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. It remains to be seen how straightforward it will be for companies to comply with EU residents’ requests for personal data to be erased – including removing information from search engines.
Companies that use cloud-based data management systems are particularly at risk as cloud suppliers are often unable to clarify where particular data sets are held at any given time and often have terms and conditions which indemnify them against the majority of liabilities associated with data loss or a data breach from their system.
It is unclear what happens to companies that are unaware of a data breach and unable to comply with the 24 hour notification rule.
What must companies do?
Companies will be required to carry out privacy impact assessments before processing any data that is likely to present specific risks to individuals, and to be transparent as to what data they hold and how it is used. The draft rules also require that joint data processors sign an agreement allocating responsibility between them, or agree to share the liability for all personal data processing.
Companies must ensure that where consent to data processing is required, consent must be “freely given specific, informed and explicit”. The draft directive also allows individuals to withdraw their consent at any time. Because consent to data processing must be made in this way, it removes the right for a company to assume consent if a consumer is silent or inactive.
Companies must be able to respond to EU residents’ requests to erase personal information, including public internet links to copies of personal data kept by social networks and search engines. Ms Reding specifically cited the example of an individual seeking removal of a photograph published on Facebook. In general, according to the draft directive, the right to be forgotten should be enforced when there are no legitimate grounds for the information to be kept.
Larger companies are required to appoint a data protection officer and to establish a presence in the EU where they do not already have one.
For more advice on the risks which the proposed new legislation represents for your business, or to find out more about insurance solutions, please contact us as follows:
Assistant Vice President
Global Technology and Privacy Practice
A Division of Lockton Companies LLP
Tel: +44 (0)20 7933 2711
1Norton Cybercrime Report 2011 - http://community.norton.com
2NetDiligence – Study of cyber and data breach insurance claims – June 2011 - http://www.netdiligence.com