What is the CCPA ?

CCPA

The California California Consumer Privacy Act (CCPA ) is a new consumer protection law which comes in effect from 1st January 2020 and is yet another sign that data protection is now taken very seriously. This follows closely in the steps of the General Data Protection Regulations ( GDPR) which were launch in May 2018.

Who does this apply to ?

  • This law is applicable in the state of California where organisations carry our business that involves collecting and processing the personal information of individuals.
  • Where an organisation has gross revenues of over $25,000,000
  • If an organisation buys / sells at least 50,000 consumers personal records for commercial gain
  • If an organisation earns more than 50% of their revenue from the selling of a consumers personal records.

If all any of this criteria is met then the CCPA will be applicable and the business will have to adhere to these regulations.

What are the consequences of non- compliance?

Should this be the case it is possible that the business could face the following penalties :-

  • Civil Penalty up to $7,500 for each intentional violation and $2,500 for other violations
  • In addition to this  the victims of a data breach may obtain $100 to $750 per consumer, per incident.

The importance of how a business manages its data is therefore of the utmost importance in order that these regulations are complied with and to avoid any penalties that stem from a breach of these regulations.

Some guidelines to the management of data 

  • Ensure that all employees are updated with this legislation and carry out training as applicable.
  • Ensure that all processes and procedures are aligned to comply with the new legislation and if not introduce new ones to cater for this.
  • Carry out a review of cyber security within the organisation and implement upgrades and improvements where necessary in order to mitigate a possible data breach.
  • Where necessary bring into line privacy notices and policies on websites and other public facing forums.

The protection of data is becoming a core value within businesses as in the event of a data breach the costs to manage this and the impact on their reputation can be severe.

Image : Shutterstock

Hackers don’t go on holiday over Christmas…..

Christmas

Hackers don’t go on holiday over Christmas and consequently everyone needs to be more vigilant than usual during this busy time of year were individuals and businesses can be preoccupied.

The theft of data is is very much on the mind of hackers over the Christmas period as this considered to be a prime time where many transactions are undertaken on-line with bank and credit cards in particularly being targeted.

One of most common methods utilized is via Phishing  which can  occur as follows:-

1.Individuals can be tricked into sharing sensitive data by using a website that is not what it seems

2.Clicking on a dubious website link

3.Responding to an e-mail from a bogus sender.

Risk Management within a business and good cyber hygiene are key to preventing the loss of data and should be practiced at all times irrespective of the time of year.

Some examples of this is as follows:-

Ensure that the latest software patches are installed

Make sure passwords are strong and that they are not replicated by individuals  and consider the use of a password manager.

Apply two factor authentiification as this provides and extra layer of protection 

Outside of Work individuals should practice the following:-

Individuals should practice similar cyber hygiene and carry out the following :-

Be care when entering your debit or credit pin into a machine whether at a shop or withdrawing cash.

If you some reason you do not feel that things feel right do not go through with a transaction of your computer and check the legitimacy of a website.

Ensure that the website you are in is the actual website and not one that pretends to be the website.

Do not click on links from Facebook or other social media sites unless you know who they are from.

Ensure that your Wi-Fi is secure and password protected with your own password

Look to change the default passwords on new toys or devices that are connected to the internet to help avoid hackers accessing these.

The Human Factor plays a fundamental role in managing cyber risks http://cyberbrokers.co.uk/human-factor-cyber-risk/

Whether at work or at home the unpredictable factor of humans may well determine how safe or secure you are and is recognized as a major driver for cyber related losses.

The underlying message is that hackers are all around us and that we must have our wits about us as all times.

Is Our Data Safer Under GDPR?

GDPR

Now that GDPR is in force will this make our data safer…..

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

http://www.hrmagazine.co.uk/article-details/the-morrisons-data-breach-and-gdpr-compliance

4. Heightened cyber security threats 

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

http://cyberbrokers.co.uk/will-ransomware-attacks-increase-under-gdpr/

5. Poor cyber risk management

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

  • Privacy Liability
  • Data notification costs
  • Regulatory costs and expenses
  • 24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

Image : Shutterstock

Hackers Raise Cyber Risk Awareness in 2017

Mergers and Acquisitions

Hackers raise Cyber Risk awareness in 2017….. this is the one upside where Hackers have again grabbed the headlines with many high profile cyber attacks taking place resulting in cyber crime and data breaches. These are proving to shape the world of cyberspace and how cyber risk will be managed in the future.

What have been the high profile cyber security breaches this year ? 

Ransomware feature highly as the main attack vector utilized by hackers and proved to be the most effective in terms of impact and the disruption that was caused to businesses.

WannaCry

This was one of the main strains of ransomware that hit over 150 businesses throughout the world in May this year. This compromised the NHS and car manufacturing plants  such as Nissan  and Renault in the UK and the global corporations of  Telefonica and FedEX.

Not-Petya

This was the second significant ransomware attack within the space of two months and should have heighten businesses concerns that cyber risk was now a boardroom issue after the WannaCry attack.  Not-Petya took place in late June again reaching out to hit high profile global corporations that included Merck, WPP and AP Moller-Maersk having longer lasting consequences on their trading ability and reputations.

Equifax

The US credit reporting agency revealed in September that they suffered a data breach which compromised the accounts of 143 million US customers, it is believed that a certain percentage of these were also UK citizens.

Uber

It was announced by Uber last month that they were hit by a data breach which affected 57 million users by an attack that occurred 12 months earlier. A ransom of $100,000 was also paid to the hackers.

Morrisons

Whilst this breach was not new it does have potential far reaching consequences for the directors of a business. It was found by the High Court that those affected by a data breach which was caused by an employee, were allowed to claim compensation for the ” upset and distress” caused.

What happened in the UK ?

Whilst hackers infiltrated many businesses worldwide, in the UK we also saw businesses and organisations being hit demonstrating that cyber attacks are closer to home that many people may believe, here are a few examples :-

Sports Direct revealed in February that they had been hit by a data breach where a hacker had gained access to their 30,000 employees personal details which included names , addresses and e-mail details.

Wonga announced in April that 245,000 of its customers in the UK had been affected by a data breach, personal details this time included bank account details.

RingGo, the parking payment app was subject to a data breach in April whereby 2,000 customers were affected

Hotpoint UK had their website compromised in May when malware was discovered on their computer system luckily no data was taken on this ocassion.

Cardiff City Centre suffered the embarassment of their computer system being compromised in August with a Swastika being posted on a shopping billboard.

The Scottish Parliament suffered a brute force attack in August where hackers targeted the e-mail accounts of MP’s in an attempt to obtain passwords

Lessons to be learned …..

Cyber crime and data breaches will not go away and will continue to be a prominent threat to busineesss

This is a major issue for businesses so much that it is now on boardroom agendas

Cyber risk needs to be managed at all levels of a business

Cyber attacks can happen to any business , SME’s are faced with the same vulnerabilties as larger organzations

Cyber risk needs to be embedded into a business’s risk management procedures and processes.

Inadequate cyber risk management will impact of the reputation of a business.

2018 will be a testing time for many business sectors with the volatility of the economy, unstable governments and Brexit to name a few but cyber risk should also sit alongside these challenges as the impact of failure to address this is likely to be just as influential.

Image : Shutterstock

A Defining Year for Cyber Risk

Cyber Security Threats

2016 has been a defining year for cyber risk….

There have been many events that have contributed towards shaping cyber risk this year however there are a number of stand out “Influencers” that have impacted on businesses during the year and will continue to do so in the future.

This has raised the awareness of cyber risk in the UK and within the business community as a whole.

Such “Influencers” that have had a bearing on cyber risk are the following :-

1.The Threats

Ransomware 

Ransomware is a form of malicious software that a hacker uses to encrypt the hardware of a computer, the hacker then extorts money normally in the form of bitcoins in exchange for the decryption code.

This form of cyber attack is now the most common in the UK with 54% of SME’s experiencing a ransomware attack. Surprisingly this is higher than in the US which is at 47%.

The impact is loss of income as a result of paying the ransom, loss of files, time spent by the business on remediation, downtime and the possible loss of life.

There is no sign of abatement of this form of cyber attack.

Phishing

Phishing is recognized as a method utilized by hackers to gain access to personal or business details in order too commit a crime. This is normally an act of fraud or used to cause disruption to a computer system. It can involve the sending of a bogus invoice sent by e-mail requesting the payment of money to hackers bank account.

The UK is one of the most targeted countries for phishing scams.

https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

Internet of Things     

The Internet of Things is the internet working of “connected devices”, “smart devices” including buildings via embedded electronics, software or sensors. These then enables these objects to collect and exchange data.

When these devices are infiltrated by a hacker the potential to cause disruption is enormous. The treats are two fold which can result in  denial of service attacks or the compromising of security leading to a breach of privacy.

This year saw a cyber attack on Dyn through the malware strain Mirai which targets vulnerable Internet of Things devices. The botnet used in this attack was possible via a compromised digital video recorder.

These forms of attacks are only likely to increase in the future as “connected devices” do not have adequate security protection in place to prevent such attacks.

2.The Breaches

Yahoo

Yahoo announced in the space of a couple of months two major breaches of their user accounts . One occurred in 2014 and consisted of the theft of half a billion of their user accounts , the other in 2013 thought to believed to be nearer a billion. Both attacks are believed to be state sponsored.

These are two of the largest ever recorded compromises of personal information. It demonstrates that attacks of this nature are getting larger and that high profile companies are still a principal target for hackers.

Banks

Banks were hit hard by a number of cyber attacks this year ……. the list is a long one…..Bangladesh Central Bank where USD850M was stolen, Swift attacks on  banks in the Phillipines and Vietnam and the Banco del Austro, attacks also took place in the Ukraine and a number of US and Canadian banks.

In the UK , Tesco bank , HSBC and NatWest were all subject to cyber attacks but with limited losses to the banks.

Cyber attacks on financial institutions have increased dramatically over the past twelve months and good cyber risk management should be a key consideration for this sector.

SME’s and Public Sector are now a focus for Hackers

This year saw SME’s being the subject of increased cyber attacks and demonstrating that they too have a real cyber risk which cannot be ignored. Ransomware attacks were seen at businesses such as hairdressing salons to florists.

Local authorities and hospital were also targeted, the unluckiest county was probably Lincolnshire…… with the county council being hit by a ransomware attack and various hospitals in Grimsby, Scunthorpe and Goole where their computer network was compromised.

3.The Regulation

The Information Commissioners Office (ICO)

The ICO showed it’s teeth and fined TalkTalk GBP400,000 for various security failings following the cyber attack that took place last year.

It is likely that we will see the ICO exercise these powers more and more in the run up to the General Data Protection Regulations when they come into effect in 2018.

General Data Protection Regulations

These were finally adopted in April this year and will come into force on 25th May 2018

The clock is “ticking” and all business will need to assess what data they have, where it is stored and how they mange it, irrespective as to whether they are a data processor or data controller.

The fines for a breach are 4% of gross annual turnover so non-compliance is not an option.

Privacy Shield

The Privacy Shield is now “live” coming into force on the 1st August replacing the Safe Harbour. There have already been some challenges to this notably by Germany and its current framework maybe subject to change in the coming year.

What Else ….. ?

The Panama Papers, Brexit, Trump, the development of cyber insurance….. the list is endless.

This year has without doubt been a defining year for cyber risk….. 2017 will further shape the exposures and the vulnerabilities that businesses face from cyber risk.

 

Image : Shutterstock

Cyber Liability – The Internet of Things

Cyber Liability - The Internet of Things

The “Internet of Things” is the product of the increasing connectivity of corporate computing infrastructures, industrial machinery and electronic consumer devices.

This provides new cyber threats to businesses which will need to be managed through a combination of robust cyber security measures and cyber liability insurance.

The phase, the “Internet of Things” is associated with devices that are capable of communicating via the internet through programmed commands or by “learning “patterns of behaviour and activity so as to recognize common occurrences  in our daily lives and communicating with other devices accordingly

With more devices and people being connected to the internet in the coming years, this will produce a global impact with the estimated market for the “Internet of Things”thought to be $66 billion between now and 2019.

From a business and consumer perspective this has many advantages , whether it be controlling an industrial process remotely to switching on your central heating whilst you are on the way home on a train, it does however come with very real cyber related threats.

The main threat bought by the “Internet of Things” is the vulnerability of the loss of data and the compromising of personal information as devices will have access to such information about a business or individual . This scenario makes it a prime target for a security breach from a targeted hacker attack.

Examples of recent attacks this year :-

  • Hacking attack of a German steel mill where hackers gained control of a smelting furnace and caused it to over heat resulting in damage to the furnace and interruption to the business.
  • Hackers took remote control of cars steering , braking and acceleration
  • Baby monitors being hacked allowing third parties to control the monitors

This year Lloyd’s of London commissioned a report where a hypothetical attack was carried on the  electricity grid of the Eastern US. It was calculated that the loss could equate to $2 trillion which would not all be covered by insurance.

A cyber liability insurance policy will provide coverage for both third party and first party losses. This encompasses a businesses third party liability and first party exposures resulting from a data security breach , the response and associated investigation costs . It can also respond to business interruption loss  and damage to a businesses computer systems and it’s data. The policy however is unlikely to respond to all first party damage and claims involving bodily injury . It will therefore be necessary for other insurance policies to be reviewed by your insurance broker to ensure that an any gaps in coverage are appropriately addressed.