On the rise

In the last 12 months, 46% of businesses reported a cyber-attack, and 32% of those attacked happened more than once every week. Unfortunately, cyber criminals continue to attempt to obtain access to IT systems for financial gain. Reports show that approximately 16% of all attacks involved a ransom for the release of the system that has been unlawfully accessed. In most cases, a phishing email was sent and was the source of a third of incidents. The covid-19 pandemic has also had a large impact on the cyber security threats to businesses. As such, there has been an increase of phishing emails related to Covid-19, the cyber criminals using the fear of the pandemic and curiosity to gain access to IT systems.

Of course, there has also been a large increase in remote working and, with little notice or preparation time, businesses have had no choice but to rely on potentially unsecure networks and personal devices. Furthermore, IT teams have been overloaded by changes to the business infrastructure and operations, which in turn has affected their impact to respond to the identification of security issues. The key to preparing for a cyber-attack is not only having robust cyber security measures in place, but also having the resources to be prepared on how to act in the event of an attack.

Consequences

Where attacks to take place and the GDPR Regulations are enforced, business can face large fines following security incidents. This is large financial risk to businesses who are not prepared for cyber security attached. Between March 2019 and May 2020, there were 190 GDPR fines coming to a total of over 414 million Euros. Of these 190 fines, 30% were related to personal data breaches. However, the value of these fines equates to 77% of the total fine issued. It is therefore clear that personal data breaches are more severe in light of the GDPR and fines will be higher for security incidents involving personal data.

High-profile cases

In the UK, there has been major incidents such as the British Airways data breach, were cyber criminals directed over 500,000 customers to a fake website to collect their personal data. The Information Commissioners Office (ICO) found that a significant amount of customer personal data was compromised as a result of poor data security and, as a result, issued a notice of intention to fine British Airways £183.90 million. This fine, however, is yet to be finalised. The ICO’s approach sends a clear message to businesses in the UK and the enforcement of the GDPR, that personal data protection should be a priority. Whilst there is a financial risk to businesses through the implementation of regulatory fines from the ICO, there is also a further risk of litigation from those who have had their personal data exposed.

The most significant case in terms of data protection claims is the Court of Appeal’s decision in Lloyd v Google LLC, where the bar for bringing mass data protection claims was lowered and moved towards more of a strict liability approach. Essentially, this has opened the door to data protection claims regardless of whether the Claimants are distressed by the data breach. Furthermore, Claimants need not establish that there has been any financial loss to claim. However, the Supreme Court has permitted Google to appeal on three grounds, with that appeal due to be heard in April 2021. As it stands, recent case law has reduced the threshold for bringing a claim in the UK and more individuals are able to bring a claim. Furthermore, there has been an increase in litigation funding, and third party funders are increasingly offering funding where there is over 50% prospects of success.

Preparation is key

Overall, businesses are increasingly trying to prepare for cyber security attacks and, the ones that do prepare, will be best placed if an incident occurs and have the highest chance of mitigating or avoiding large fines from regulatory bodies, such as the ICO, and litigation. It is clear that best way businesses can protect themselves from cyber-attacks is through effective and proportionate training, but also regular and through IT system review and backups.