Following investigation by the Information Commissioner’s Office (ICO) of last year’s British Airways data breach, where credit card details, travel bookings and logins for customers were accessed, the airline has recently been fined a massive £183 million. BA has 28 days to appeal the ruling which is the largest issued so far by the ICO.
A similar case of stolen records from the Marriott hotel group has resulted in a fine of £100 million subject to appeal by the company.
This shows how seriously the ICO is taking the new GDPR regulations and enforcement of fines to companies that have not demonstrated their commitment to data security. In British Airways’ case “poor security arrangements” at the company were cited by the ICO.
Businesses of all sizes must be prepared
Your business may not be in the same league as BA or some of the other giants that have been caught out and suddenly find themselves in the headlines for the wrong reasons. However, the fines are levied on a percentage of turnover. Could your organisation survive a fine of this size?
Copied from: https://eugdpr.org/the-regulation
“Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.”
The following podcast is from Reuters and Barclays bank and discusses some of the fines mentioned above and ways to reduce exposure to cybercrime.
One of the points to come out of the above interview from Paul Henley is that organisations should take matters into their own hands by analysing attacks, managing the process and having a programme in place to fix any vulnerabilities that are identified.
ISO 27001 will provide a management framework to manage and fix vulnerabilities
ISO 27001 is one of a range of internationally recognised ISO standards such as ISO 9001, that organisations can implement to make them more efficient, productive and robust.
Gaining certification to ISO 27001 will provide a management system to help protect your organisation from a cyberattack and a variety of other risks such as natural disasters, mismanagement, human error and corrupted or stolen data.
Risk assessment and risk management is a fundamental part of the assessment process to gain certification. This will entail an expert from within or outside your organisation identifying where vulnerabilities in your network exist and implementing controls, policies and procedures to minimise the risk of a breach.
Another point made in the above interview by Paul Henley was that he would have liked “someone to come up with a whole list of things to consider”. Your ISO 27001 consultant will have been selected for his experience and knowledge of working with other organisations in your industry sector and will be able to implement best practice using the latest information available.
A large proportion of cyberattacks are down to human error which is very difficult to eliminate completely. A management system will help to mitigate the chances of an attack taking place and provide a recovery process should the worst happen by implementing:
- Risk assessment and management
- Employee training
- System monitoring
- Access control
- Regular reviews
- Continuous improvement
This will demonstrate your commitment to minimise risk and limit your exposure to regulatory fines or adverse publicity that could be catastrophic to your organisation.