This Bulletin highlights how important data privacy, information and cyber security is to protect your intellectual property, to safeguard the data of your employees, clients, and supply chain by, discussing and evidencing risks and provided tips on how to protect your organisations. Therefore, you are encouraged to share this bulletin throughout your organisation.
Volume 24 contains:
- Data Privacy
- Data processing supply chain risk.
- The dangers of mobile phone applications for children – a loophole in privacy law.
- Business Continuity, Cyber Security, and Information Security
- Is it time to revisit the Business Continuity Plan?
- As data breaches become a battleground for class action litigation, should companies consider taking a risk-based approach to cyber security?
Data processing supply chain risk
Modern business processes rely heavily on outsourcing and cloud services, and your suppliers’ processes in turn rely on the same, creating a data processing supply chain.
Whenever an organisation relies on another for the storage, manipulation, or destruction of data, or where we provide them access to data we are already handling, we introduce a new layer of risk that needs to be properly understood and ideally reduced both in likelihood and severity.
As we are onboard new products and suppliers, it is important to consider information security and data protection compliance risks as early as possible, remembering we are still responsible for the fallout if something goes wrong, and that contractual indemnities will not patch up a damaged reputation or strained client relationships.
Most of the recent cyber-attacks that our firm has advised on were suffered because of gaps / risks in the supply chain. A charity suffered from CEO Fraud because of the intrusion of the O365 at their outsourced HR company. Another large charity suffered from a data breach due to a breach in the software of a third-party financial company. Even though the latter is governed by strict Financial Conduct Authority regulations their cyber security framework was not up to scratch.
- Know before you go – bake supplier due diligence into the procurement process so infosec and privacy practices are used to make decisions about who you do business with
- Perform a vendor risk assessment (VRA) for an honest look at the risks you might be introducing, including a questionnaire for the proposed supplier to complete.
- Cheap is not always cheerful – remember where personal data is concerned, UK and EU law requires organisations to select processors that offer sufficient guarantees of security for the personal data they will be entrusted with, and that might eliminate the low-budget option.
- Consider the location and ownership of the supplier, will you have to make international transfers of personal data? As well as the risk of data entering another jurisdiction with less protection for us and our data subjects, there may be additional compliance requirements to meet.
- Look at who else is involved in the supply chain – does that change the risk profile? Perhaps you have tried to avoid international transfers but find the sub-processors are still located overseas.
Finally, remember you can apply the same thought process in reviewing existing relationships as you would with new ones, and do not be afraid to ask suppliers for more information to demonstrate that you have taken all reasonable steps to reduce risk in the data processing supply chain.
The dangers of mobile phone applications for children – a loophole in privacy law to track kids’ phones
In the last Hacks & Tips Bulletin we discussed the risks of BYOD or personal devices in the workplace. This month we will divert away from the workplace to discuss the dangers that mobile applications can pose to our families.
The technology columnist of the Washington Post, Geoffrey Fowler, posits that by the time a child is 13 years old, online advertising companies have collected 72 MILLION data points about that child.
He states that “the 1998 Children’s Online Privacy Protection Act stipulates that a company has to have actual knowledge that a child is using the app or website in order for certain privacy protections to kick in. But many companies get around the law, simply by claiming that they don’t know who their users are. Fowler advocates for closing this loophole, and for creating new laws that allow companies to collect only the data they need — and nothing more”
Applications notoriously guilty of this practice are TikTok and Instagram.
Fowler argues that it would be best if parents could configure an iPhone or Android phone for their child to send out a signal to all applications saying, ‘this device is used by a minor and therefore not to collect data unless parental permission has been acquired.’
Unfortunately, the current ‘not to track button’ called IDFA does not stop all of the other data held on the phone that applications grab to identify the users
The full interviews with Fowler is available via this link: www.wfae.org/science-technology/2022-06-16/users-beware-apps-are-using-a-loophole-in-privacy-law-to-track-kids-phones
There is lots of advice regarding applications which are not safe for minors, this list is almost comprehensive Top 10 Most Dangerous Apps for Kids, Parents Can’t Miss 2022
This article reveals how TikTok infringes data privacy laws, trust, transparency and breaches our personal data. Among many data protection infringements, the app tracks who watched videos, fingerprinting (biometric data) is used to identify visitors.
Top tips to reduce the risks:
- Educate – talk to your children about the dangers these applications can pose, examples of this can be catfishing, sexual harassment, stalking, sexual predators.
- Use parental controls on the child’s devices to prevent downloads and to disable certain applications from being downloaded and / or installed but explain why you are doing this.
- Discuss and research apps before using them, examine the data privacy and security features
CYBER AND INFORMATION SECURITY
Is it time to revisit the Business Continuity Plan?
In light of current events: the war in Ukraine, the global energy crisis, food security concerns, cyber-attacks, and the risks related to extreme weather occurrences (flood, fire, volcanos, earthquakes, tornados, hurricanes etc). As the ISO organisation states, what is certain is nothing is certain, in other words change is a given.
The Oxford English Dictionary defines “risk,” as “a situation involving exposure to danger.”
Let us start with two basic questions.
Question 1: What is business risk management?
Risk management facilitates organisations to increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. What does this mean? To understand the business objectives, one must understand the associated risks which could create hurdles to achieving that outcome. Once these risks are identified, the risks are scored against probability versus impact, then treatment plans are created against the inherent risk.
Therefore, risk can create a deviation (change) from the expected to quote the ISO organisation “This involves not only threats to the strength or viability of the organization, but also opportunities to be gained. Reputation, political changes, and climate change impacts are examples of what needs to be considered when managing risk effectively.”
Managing risks successfully can have positive results, companies need to take risks to achieve their objectives. Organisations quite naturally need a degree of certainty before taking important strategic decisions, and it is essential to understand that risk is really about the likely impact of uncertainty on those decisions. In summary, risk is about managing decisions in a complex, volatile and ambiguous world, one that is fast becoming even more complex and ambiguous.
There are two essential documents organisations may wish to measuring risk:
- A SWOT Analysis
- A Risk Register
There are several risk management frameworks including ISO 31000 & ISO 31010, and ORX.
Question 2: What is business continuity planning?
Business Continuity Planning is the process involved in creating a prevention and recovery plan to respond to potential risks thereby enabling an organisation to recover as quickly as possible and, to maintain as much business as usual as possible.
A critical goal of a robust Business Continuity Plan (BCP) is to enable business operations as usual whilst executing disaster recovery.
The following steps should be taken when formulating a BCP:
- Step 1: Conduct a Gap / Business Analysis to identify time-sensitive or critical business functions and processes and resourced that support them.
- Step 2: Take the recommendations of the gap analysis / impact analysis and implement them via a series of control documents (policies and procedures).
- Step 3: Implement a bi-annual or annual maintenance plan, broken down into:
- Review and confirmation of the BCP controls, staff awareness and the specific training required for the Incident Response Team.
- Testing and verification of the technical solutions established for recovery. operations, for example the testing of generators, back up and recovery plan for IT
- Testing and verification of the organisation’s recovery procedures
Common threats include:
Endemic / pandemic, Earthquake, Fire, Flood, Cyber-attack, Sabotage (insider or external threat), Hurricane or another major storm, Power outage, Water outage (supply interruption, contamination), Telecoms outage, IT outage, Terrorism / Piracy, War / civil disorder, Theft (insider or external threat, vital information, or material), Random failure of mission-critical systems, Single point dependency, Supplier failure, Data corruption, and Misconfiguration.
The World Economic Forum (WEF) Risk Report provides analysis of the top risks affecting the world:
This report was published in January 22 prior to the war in Ukraine, geopolitical tension falling into the top 5 risks, indicates that this report has a level of accuracy.
Every organisation has a unique set of risks according to its sector, location, statutory and regulatory requirements, workforce, and operations.
As data breaches become a battleground for class action litigation, companies should consider taking a risk-based approach to cyber-security?
Cyber-attacks impacted 39% of UK businesses in 2022 (the DCMS Cyber Breaches Survey 2022). Based on this statistic, if we take the number of private businesses in the UK at the start of 2020, 6 million, the quantity of businesses which could be impacted by a cyber-attack in 2022/23 could be approximately £2,340,000. If many of these claim on their cyber security insurance policies, it is understandable why there has been a rise in cyber insurance premiums.
Data breaches take place almost daily which makes legal action against businesses and organisations a common reaction. Furthermore, the awareness of individuals about their rights in relation to personal data is increasing spurred by TV adverts and digital banners across the web and social media pages. Media headlines will also play a crucial point in the surge in class action lawsuits, as the media will inform individuals about how they should act. This issue subjects many companies to data protection lawsuits aside from the fines already imposed by the supervisory authorities.
The security of the personal data represents key to the success of businesses, and it involves a high financial and reputational risk should a data breach occur. Considering that a lucrative market for claims companies already exists, and a new revenue stream for legal firms who are profiting from individuals whose data has been breached.
In late 2020 we already witnessed the impact of the data breach compensation culture with the Blackbaud breach (Blackbaud University Data Breach Claims for Compensation (simpsonmillar.co.uk).
The following table, last updated in May 2022, details a range of data breach cases and the amount of compensation awarded to the claimant.
|Archer v Williams  EWHC 1670 (QB)||Disclosure of medical information||£2,500|
|Campbell v MGN Ltd  UKHL 22||Publication of articles/photographs disclosing private information||£2,500 plus aggravated damages of £1,000|
|Applause Store Productions Limited v Raphael  EWHC 1781||False defamatory profile and group on Facebook||£2,000 plus award for libel totalling £20,000|
|Mosley v News Group Newspapers Ltd  EWHC 1777||Publication of private information relating to sexual practices||£60,000|
|Cooper v Turrell  EWHC 3269 (QB)||Misuse of private information||Claimant 1 £30,000 Claimant 2: £50,000|
|Sean Robert Grinyer v Plymouth Hospital NHS Trust; 28th October 2011||Unauthorised access of medical records by nurse||£12,500|
|AAA v Associated newspapers Ltd  EWHC 2103 (QB)||Publication of photographs||£15,000|
|Weller v Associated Newspapers Ltd  EWHC 1163 (QB)||Publication of photographs without consent||£10,000|
|Gulati and others v MGN Ltd  EWHC 1482 (Ch)||Phone hacking||£72,500 – £260,250|
|Brown v Commissioner of Police of the Metropolis and Chief Constable of Greater Manchester Police  EWCA Civ 646||Unauthorised processing of flight details, in lead up to disciplinary||£9,000|
|TLT and others v Secretary of State for the Home Department and Home Office  EWHC (QB)||Publication of confidential personal information of around 1,600 applicants for asylum or leave to remain||£2,500 – £12,500|
|Wooley & Wooley v Nahid Akbar Or Akram  SC Edin 7||CCTV surveillance carried out by a neighbour||£17,268|
|Ali & Anor v Channel 5 Broadcasting Ltd  EWCA Civ 677||Disclosure of private information in television show||£10,000 per claimant|
|Alexander Aristides Reid v Katie Price  EWHC 594 (QB)||Disclosure of sexual preferences and lying about retaining Personal Information.||£25,000|
|Aven and others v Orbis Business Intelligence Ltd  EWHC 1812 (QB)||Inaccurate processing of the allegation regarding “illicit cash.”||£18,000 per claimant|
Advice from the Legal Profession:
- Having data protection compliance (a strong data protection framework) is important but not enough, because they feel it becomes a box-ticking compliance exercise
- Implement a risk-based approach to Cyber Security where investments and efforts are defined through a cost / benefit exercise, thereby protecting critical information in line with the business impact – financial, regulation and compliance – in the event of the loss of confidentiality, integrity, and the availability of consumer data. Alvarez and Marshall believe approach will help identify individual risks and assign a level of criticality to each asset so that a clear strategy to prevention and response to attacks can be developed, and resources can be prioritised accordingly.
- Apply a cyber security framework to manage the technical defence, the minimum standard is Cyber Essentials, Cyber Essentials Plus provides a hardened approach to secure endpoints.
- Embedding cyber security into general business risk management practice is the way forward for companies looking to rise to the challenge of improving their cyber defences and insulating themselves from class action claims.
- A Cyber security culture requires a People (awareness), Process (robust policies and procedures) and Technology approach. There are further frameworks to support this, for example IASME Governance, ISO 27001, NCSC Top 10 steps to Cyber Security, SOC 2, NIST Cyber Security Framework, CIS v7 Critical Top 20, and COBIT.
If you would like any help with Business Continuity, Data Privacy or Cyber or Information Security or need help with Incident Response and Forensics, please contact us:
Call: 020 7566 4000
Please unsubscribe if you wish to opt out of receiving this bulletin placing the word unsubscribe in the subject header.
Moore ClearComm is an accredited Cyber Essentials provider,
Supporting SOC 2, ISO 27001, IASME Governance and PCI DSS.