Companies, prepare for cybersecurity war
19 December 2018
On 30 November 2018, a major hotel company announced that its guest reservation database had been hacked during four years, potentially exposing the personal information of about 500 million hotel guests, including names, passport numbers, credit card numbers, phone numbers, and addresses. Before that, in October 2018, we had learned that 500,000 Google Plus accounts had been involuntary disclosed to external app developers during three years - an event which led Google to shut down its social network. And a week before that, it was revealed that over 29 million Facebook accounts had been hacked, exposing sensitive data in over half of the cases.
No one – not even hotel and tech giants - is immune to security failures.
Not only did these breaches make the headlines, they have also drawn the attention of data protection authorities in Europe, keen to assert their roles as protectors of citizens' privacy rights by investigating companies' data security and using their sanctioning powers. Indeed:
- on the day the hotel company revealed it fell victim of a hack, the UK Data Protection Authority ("ICO") announced that it would start making enquiries about it;
- a few days after the revelation of the Facebook hack, the Irish Data Protection Authority commenced an investigation to make sure that Facebook complied with its security obligations under the General Data Protection Regulation ("GDPR");
- following the Google Plus incident, Google was requested by the Hamburg Data Protection Authority to answer questions and justify its data security practices;
- in the last few months, the French Data Protection Authority ("CNIL") sanctioned several actors of the private and public sectors for insufficient security and inflicted its highest fine to date. In most cases, sanctions were issued after the CNIL found via online investigations that companies' websites lacked basic security, making it possible for anybody to access customers' personal data by merely changing the URL of the websites. In June, the CNIL announced that in the event of a data breach, its investigation could not only concern the breach in question but also the general level of security of the data processing.
The Heathrow Airport case perfectly illustrates this recent enforcement trend which consists for authorities to use security breaches as opportunities to conduct extensive internal investigations. The facts which triggered the Heathrow Airport investigation also show how a seemingly "small" negligence can snowball into a reputational and legal crisis: a passer-by found a Heathrow Airport employee's USB memory stick in the streets of London containing freely accessible employees' personal data. After being informed of the facts by a newspaper, the ICO commenced an investigation into Heathrow Airport's security practices. The ICO discovered, among other things, that only 2% of the company's 6,500 employees had received a data protection training. The investigation resulted in a £120,000 fine for insufficient security measures (e.g. files in the USB was neither encrypted nor password protected). The fine could have been significantly higher (€10 million or 2% of the undertaking's annual turnover) had the breach occurred after 25 May 2018, date on which the GDPR became applicable.
Contrary to common belief, in principle it is not the security breach per se that is punishable under the GDPR, but the absence or inadequacy of the security measures implemented by the company to prevent it. The European legislator has adopted a pragmatic approach that takes into account the fact that all companies, even the most prepared ones, will be victims of a breach at some point in their existence. The GDPR invites companies to adopt the same realistic approach, i.e. rather than aiming for an illusory security invulnerability, deploying measures that are proportionate to each potential risk ("not use a steam hammer to crack a nut, if a nutcracker would do”). Thus, to obtain peace – i.e. data protected from collection to deletion, documented security measures that satisfy authorities – companies must prepare for "war". This requires acting methodically:
- first, plan - visualize where risks can come from in your organization (i.e. both internal risks, for instance a negligent employee, and external risks, such as hackers hired by a competitor), and for each of these risks, adopt the corresponding physical and digital measures;
- second, test your security measures, to check whether they really work in practice and remediate weaknesses (e.g. "data breach war games" can serve to test the staff's capacity to do what is required in a real-like breach situation);
- finally, once security measures tailored to risks have been implemented, make sure they are deployed from one end of the "data supply chain" to the other (i.e. that anyone with whom your organisation shares data, for instance service providers, adopts your security standards).
As cybersecurity threats are clearly on the rise, preserving the security of personal data becomes an everyday fight: as perfectly put by the President of the ICO last April, "defending [individuals'] information from attack is your battle – it must be one you are prepared to fight".