2016 will, for a number of reasons, be a very significant year globally for cybersecurity and data breaches as the issues emerging in 2015 develop, and the impact of major legal changes are felt. There are a number of trends emerging which, to some extent, compete and companies will need to be alert and careful to ensure that they successfully navigate the privacy and security landscape in the different jurisdictions in which they operate.
The TalkTalk hack may, in due course, come to be known as the UK's 'Sony' moment, i.e. where fallout from a breach changes how boards view information security risk. The TalkTalk attack in October may have resulted in just under 157,000 customers having their personal data accessed (against the 4 million previously feared), but more than any other cybersecurity breach to date, it has raised awareness in the UK as to the nature, possible scale and potential implications of breaches, particularly the media storm and reputational harm that can follow.
Although TalkTalk was placed in a difficult position because they appear not to have been properly prepared for the breach, going public when they had, in reality, extremely limited information about the breadth and depth of the breach meant that they had to deal with large numbers of irate customers, very extensive adverse publicity on the front page of most national newspapers, and detailed editorials examining what they should or shouldn’t have done for days afterwards. It is too early to tell whether TalkTalk's customer churn rate will increase as a result of the breach (as this is TalkTalk's third breach this year, we would be surprised if it didn't), but we do know that TalkTalk has estimated the total cost of the breach to be £30-35 million. This puts the issue firmly on the radar of the board of any company, and those boards must be asking the business whether the company is ready and able to deal with a breach of this scale.
Other significant and high profile data breaches this year have included Carbanak, the billion-dollar bank cyberheist, which is among the most sophisticated cyberattacks reported to date. Hackers infiltrated many banks' networks to a staggering extent over a long period of time enabling, by some estimates, over a billion dollars to be stolen. While some of this money will doubtless be recovered, this attack is a good example of the patience and ingenuity of attackers. After gaining access via phishing attacks, the attackers installed altered versions of remote access tools which are 'white listed' by most banks. They then sat and waited, observing how the banks operated and learning the banks' systems and controls so that they could exfiltrate money on an ongoing basis over time (and indeed, if some reports are accurate, create new electronic money in accounts which was then removed). We expect to see this level of sophistication becoming more common in 2016.
In another striking cyberattack in July this year, hackers stole data from online infidelity site, Ashley Madison. Details of more than 33 million accounts were stolen from the website and leaked online. Among the many reported fallouts from this leak was the resignation of the CEO, along with allegations of widespread use of 'bots' and creation of false accounts to exaggerate drastically the number of female members. Ashley Madison made much of the importance of security and anonymity given the nature of the site but the breach served as a timely reminder that very little is private online.
There is little reason to believe that the pace of significant data breaches will slow in 2016. Awareness is increasing all the time as to the risk such cyberattacks pose. However, the level of sophistication of some breaches and success to date of hackers (often using unsophisticated attacks, as appears to have been the case in TalkTalk) means it is hard to believe there will not be more similar attacks. In this context, organisations have no choice but to prepare themselves technically, legally and with internal and external communications. While there are improvements in some sectors (particularly financial services), it is clear that most businesses are still struggling to understand the risks that they face and to take appropriate steps to be able to respond if they do suffer a breach. We expect that there will be at least one more incident similar to TalkTalk in the UK in 2016.
An example of the increasing risks, and the complexity of the issue that boards are struggling to understand, is the Internet of Things. For all its potential benefits to business, which are clearly very substantial, it also serves to increase markedly the number of entry points to a network, and therefore exposure to cyberattacks. Many IoT devices have not been designed with security in mind, and companies need to be aware of the risks that it poses.
NISD and the General Data Protection Regulation
The Network and Information Security Directive (otherwise known as the Cyber Security Directive or NISD) is likely to be agreed by the European Commission, Parliament and Council in the coming weeks. Member States will have eighteen months to transpose it into national legislation. The key features are that Member States will have to adopt a Network and Information Society (NIS) strategy and designate a national NIS competent authority to prevent, handle and respond to NIS risks and incidents. The security of the networks and information systems of public administrations and market operators will need to adopt risk management practices and report major security incidents on their core services. EU-wide fines were originally proposed, but will now be determined by Member States, other than for breaches of personal data where they will have to be consistent with the General Data Protection Regulation (GDPR). NISD will impact on a range of organisations, including e-commerce platforms, social networks, cloud computing services, app stores, search engines and energy suppliers, although there may be different standards for different types of organisation.
As we've discussed at length, the GDPR is in its final stage of negotiation and, of course, we wait to see what its approach to data breaches will be. A contentious issue in the original Commission draft was the stringent breach reporting provisions. The original proposals say data controllers need to report all data breaches to the relevant DPA "without undue delay and, where feasible,not later than 24 hours of becoming aware of it". In addition, they would have to inform data subjects "without undue delay" unless the relevant DPA was satisfied that the data was sufficiently protected from being accessed by an unauthorised user, for example, by encryption. Data processors would be subject to the still more onerous requirement to report breaches to their data controller "immediately". There are a few glaring issues with these proposals. The first is that there is no exemption for breaches of a minor nature, the reporting times are incredibly restrictive and there is no required time limit within which a DPA needs to say whether or not data subjects need to be informed of the breach.
The Parliament's draft takes a slightly less onerous approach, removing the 24 hour requirement and allowing processors to report "without undue delay". There is also provision for providing information to the DPA in stages if necessary.
The Council's draft takes a more pragmatic, risk-based approach by making time limits more flexible and introducing a stipulation requiring that only breaches "likely to result in a high risk for the rights and freedoms of individuals such as discrimination, identity theft or fraud, financial loss [breach of pseudonymity], damage to reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage" be reported. In addition data subjects do not need to be informed if the data controller has implemented appropriate technological and organisational protection measures in relation to the data. This includes encryption or where the controller has taken subsequent measures to ensure that the high risk to data subjects is no longer likely to materialise.
It is to be hoped that the Council's draft will prevail here. It is still not perfect as it doesn't place any requirements on (what will be overburdened) regulators to respond to data controllers but it is certainly preferable to the versions which have gone before it as it significantly reduces the potential costs. That being said, whatever happens, there will be costs to businesses associated with the new requirements.
The Draft Investigatory Powers Bill
The Draft Investigatory Powers Bill (DIP) was published on 4 November 2015. It requires communications companies to store records of customers' phone and internet use for 12 months. This Bill is, therefore, permitting the bulk collection of phone records in contrast to the USA Freedom Act. The House of Commons agreed a resolution that a Joint Select Committee should be appointed to consider and report on the bill. It is expected to report by 11 February 2016. For more information, read our article on the draft Investigatory Powers Bill.
Security of exported data
One of the big talking points of 2015 was the controversial decision of the Court of Justice of the European Union (CJEU) which essentially found the Safe Harbor scheme to be invalid (see our article for more). Talks on Safe Harbor 2.0 started in January 2014. As recently recognised by EU Justice Commissioner Jourová, the Schrems decision has reiterated the need for these negotiations to be progressed and finalised with some degree of urgency. Jourová expects this to happen by the end of January 2016, which is undoubtedly ambitious.
The US has already committed to stronger oversight by the Department of Commerce and stronger cooperation between European Data Protection Authorities and the FTC, which will change the system from a self-regulating one. Other developments in the US this year include the USA Freedom Act. It has ended the bulk collection of telephone data that was introduced by the Patriot Act post-9/11 and was one of the main subjects of the Snowden revelations. However, the bulk collection of internet and social media is still permitted, and it is not clear how the immunity provisions of the Cybersecurity Information Sharing Act, recently passed by the Senate, will impact on Safe Harbor 2.0.
Attitudes of other countries to data security
A further interesting development in the last year has been for certain states, such as Russia, to pass laws requiring companies to hold data on citizens of that state on servers geographically located within its borders. It remains to be seen what long-term impact this will have, but there is a clear trend towards governments in some jurisdictions deciding that data about their own citizens should be hosted within the jurisdiction, where it is easier to access that data.
In Europe, the Schrems decision has also seen a number of data centre and cloud hosting providers deciding to open data centres physically located within the EU to enable clients to host data relating to EU citizens within the EU. Having seen a trend for years towards globalisation of cloud services, legal changes over the past year may well reverse that trend in some areas, and we expect to see a trend towards data localisation, driven by legal issues relating to data security, to continue in 2016 in Europe.
China appears to be taking a path of requiring backdoors to be installed on technologies sold to Chinese banks, and to hand over source code and submit to audits. This is under the guise of increasing cybersecurity in Chinese industries. In addition, a draft law (which has not been passed yet) proposes that companies must store all data relating to Chinese users on servers in China. China's approach to cybersecurity will no doubt develop further in 2016, but the current direction of travel indicates that Western businesses will be considering carefully how to comply with any new legislation and, in some cases, whether it is worth continuing to do business in the jurisdiction.
Interestingly however, the Trans-Pacific Partnership, agreed in 2015, takes a different approach, and Article 14.13 requires that no member country shall require companies to use or locate computing facilities in that [member country's] territory as a condition for conducting business in that territory.