With the upcoming bank holiday festivities nearly upon us, many of us are starting to count down the days until the celebrations – and, yes, the time off work – to mark The Queen’s Platinum Jubilee. Some will choose to celebrate this historic milestone with family, friends, and neighbours, whilst others might want to go off-grid and find space to relax and recuperate. However, cyber criminals may be celebrating over the long bank holiday weekend for a different reason.
Why are long weekends targeted?
The issue is of course not limited to Her Majesty’s Jubilee. Looking across the pond, the FBI and CISA (the Cybersecurity and Infrastructure Security Agency) were moved to put out a joint statement ahead of Labor Day last September, warning of the risk of ransomware attacks. They were not acting on specific threat intelligence: rather, on the statistical pattern showing public holidays to be peak hacking periods.
Many of our own clients can attest to weekends lost to battling denial-of-service attacks; and, for cyber criminals, the longer the weekend the better.
As many businesses, schools, and charities across the country start to wind down this week, hackers will be finalising plans to disrupt the critical networks that so many organisations are reliant upon. Most organisations will be operating at a significantly reduced headcount over the four-day Jubilee weekend, with key personnel harder to reach. This is a common scenario which opportunistic hackers will seek to exploit in the hope of encountering minimal resistance.
Slow response times over long weekends are a threat to both business continuity and legal compliance. First, and most importantly, a sluggish reaction could lose vital hours in the battle to contain and mitigate the issue, risking greater systems penetration and exfiltration of data. Then, if senior management are not available to give swift and decisive instructions, there is the added headache of missing the statutory deadline to notify the breach to the regulator. It can be a struggle against the clock as it is to make a meaningful and satisfactory report to the UK ICO within 72 hours of detecting the breach (as will usually be required by UK GDPR in cases like this). That is before you consider whether you have to notify affected individuals.
Given this perfect storm of increased risk and weakened responses, organisations of all sizes will need a plan to pre-empt such attacks – and mitigate the regulatory and reputational consequences.
Hostile Data Breaches: a quick reminder
Given how frequently the topic is covered in bulletins and news reports, many of us are at risk of fatigue in being warned about cyber security doom scenarios. But the reality is that they are commonplace, and – while not always avoidable – they tend to follow familiar patterns.
Organisations vary in their sophistication, and to some extent their reliance on IT systems, but none are completely safe from cyber attacks: some of which are carefully targeted, others scattergun and stumble across vulnerable systems more or less at random. Charities and schools are as much at risk as businesses. Of particular concern is the upward trend in ransomware attacks (often accompanied by a “DDOS”, or distributed denial of service, attack).
This is a type of malware which locks users out of their device, system or account by encrypting their files, which cyber criminals will then demand a ransom to decrypt. Recent reports suggest that ransomware breaches have increased by 13 per cent this last year, which represents an increase greater than the past five years combined.
Although the above should rightfully raise alarms, precautionary measures can be taken before the long bank holiday to help organisations manage the risks associated with a hostile data attack and ensure compliance with data protection law.
- Give your current cyber security measures a health-check. Although the UK GDPR does not explicitly prescribe the data security measures organisations must have in place, it confirms that data controllers and processors must have “appropriate” security in place to prevent the personal data they hold from being accidentally or deliberately compromised. This includes implementing appropriate technical and organisational measures to minimise the risk of unauthorised loss or access. This is not simply a question of the latest or most expensive software: it can be as basic as who has access to what, internally, at your organisation. Segmented data storage and need-to-know access protocols make it less likely that a single entry-point will lead to total systems penetration.
Such measures can depend in part on the costs of implementation, the nature, scope, context and volume of the personal data held and the risks a data breach presents to an organisation. However, given the increased accessibility of many standard forms of data security (at a relatively low cost), such as password protection, multi-factor authentication, and data encryption, organisations should do more than the bare minimum to ensure compliance, even if they are constrained by a relatively limited budget. Your investment in security and staff training will not make you immune to attack, but it should hamper and slow down hackers and – when the dust has settled – give you a softer landing with the regulator.
Check your legacy systems. Many studies suggest older, unsupported legacy systems are the number one cause – other than human error – of data breach vulnerability. These might occur where your organisation has acquired another business or department and not adequately “patched” the systems, or is migrating data from one place to another, or failed to completely phase out old applications.
Adding to the issue is the fact that unsupported, “phased out” applications are less likely to be maintained or monitored (and may be harder for your current IT support to detect or fix). It may be that the threat is already sitting there on your older systems, dormant, waiting for the right opportunity. Big name breaches like Equifax in the US and TalkTalk here in the UK are some of the most salutary examples, but of course smaller and less well-resourced organisations are vulnerable to these errors too. And if you’re not sure where to start with this question, ask your IT people who might!
Understand your suppliers – and your contracts with them. Very often, it will not be “your” organisation that will be the target of the attack. It will be the household-name supplier or platform you use. Shopify, WisePay and Blackbaud are all recent examples of commonly-used platforms in the retail, education and charities sectors respectively.
Organisations will need check their third-party supplier (“data processor”) contracts to understand each party’s data breach obligations. This includes important commercial questions of liability caps and levels of cyber insurance cover; but there are also points of practical effect. By way of example, some third-party processors will attempt to limit their notification obligations so that they are only required to notify businesses of a data breach within a “reasonable time” (the UK GDPR states without undue delay). Some contracts commit processors to a particular timeframe, however; this is often purposefully vague and inadequately defined.
Some may argue a reasonable time would be measured in hours, whilst others may argue weeks (or even months, as occurred with Blackbaud). It is important to understand these notification requirements and avoid open-ended reporting obligations if possible. If you, as a controller (end client), are not in fact notified by your contractor within 72 hours, that will not strictly place you in breach of UK GDPR – but it can cause substantial reputational damage with those affected customers, contacts or supporters you need to notify weeks or months down the line.
- Get cyber insurance cover in place. This can cover your own digital assets and data, or those of third parties or customers; it can cover losses and possible litigation arising from breaches (eg individual data subject claims); and it can make provision for expert or forensic IT support, in event of the worst happening. You will need to determine what cover is most suitable for your needs, but there is a wide range of policies now on the market. Remember also to include notifying your insurers within the breach response plan, and at the right stage, so the action you take does not risk invalidating your cover.
Have a plan. Organisations should adopt a response plan which expressly addresses what should happen in the event of a data breach over a holiday period. For example, suitably senior members of staff should remain on standby to respond to any data breach over a reduced head-count period. This should include an individual with an appropriate level of IT expertise and a senior member of staff with formal decision-making authority. Having these individuals on standby will allow businesses to address data breaches swiftly and restore business functionality as soon as possible.
It will also put a business in good standing to comply with the mandatory reporting requirements outlined in the UK GDPR.
The ICO has published useful guidance which can help a business plan, prepare and respond to a personal data breach.
The Jubilee celebrations mark a momentous moment and the long weekend is there to be enjoyed. However, you may be better set to sit back and relax knowing you have made diligent enquiries and put in place a response plan for data breaches. It might just save your bank holiday, or even your business.
If you require further information about anything covered in this briefing, please contact Owen O'Rorke in the Information Law team, Thomas Rudkin in the Reputation Management team or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2022