What is a Cyber Attack?
It basically an attempt by hackers to create damage or destroy a computer network.
Does it Constitute a Personal Data Breach under the GDPR?
Before we can answer this we need to understand to first view the definition of ‘Personal Data’ and ‘Personal Data Breach’.
‘Personal Data‘ means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“
‘Personal Data Breach‘ means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
If the hackers gains access to ‘personal data’ and such data was damaged or destroyed because it does lead to ‘unlawful destruction, loss, alteration including authorised access‘ then as far as the GDPR is concerned this would constitute a ‘Personal Data Breach’.
Has the ICO imposed fines for Cyber Attacks?
Yahoo! UK Services Limited was fined £250,000 by the ICO following a cyber attack in November 2014.
The personal data of approximately 500 million international users of Yahoo!’s services was placed at risk. The company had failed to take ‘appropriate technical and organisational measures’ to protect the personal data of 515,121 customers against unauthorised access of persons;
How can an organisation mitigate such Risks of Cyber Attacks?
As far as the GDPR is concerned organisations must incorporate security measures ‘appropriate to the risks’.
Encryption is an excellent means of protecting unauthorised access to personal data. It is considered the highest form of protection but unfortunately it does cost!
Which Organisations are more open to Cyber Attack?
The reason is because law firms will retain a large volume of personal data and most of the personal data is likely to be sensitive data.
In July 2017 international law firm DLA Piper became a victim of a global ‘Petya’ ransom attack. The firm had ongoing IT problems 10 days after the attack. IN march 2018 Duncan Lewis also became a victim of hacking.
How Organisations protect themselves from Cyber Attacks?
- Educate staff with regards to ‘malware’
- Ensure there are policies and procedures in place (GDPR)
- Limit access to your systems – not everyone needs to have access!
- Use encryption to protect personal data
- Change passwords to unique passwords and keep on a secure file
- Consider employing a two-factor authentication for access
- Make sure you have most update to date anti-virus software and firewalls in place
- Protect your network – filter unauthorised, malicious content
- Apply security patches
- Carry out continuous pen testing
- Establish an incident response and disaster recovery procedure
- Create a mobile working policy and ensure employees comply
- Create a bring your own device policy for employees if company personal data is retained on their devices