In late August 2017, Website Builder Expert (“WBE”) released a report which revealed the findings of research it conducted into cybercrime vulnerability within the European Union. WBE is a leading online resource that provides detailed and independent advice to small businesses wishing to establish an online presence. The report concluded that Malta is the most vulnerable country within the EU to cybercrime attacks; it has a remarkably high percentage of exposed internet connections and is the least prepared EU country for cyberattacks.

What activities does Cybercrime encompass?

Under Maltese and EU legislation, cybercrime comprises of criminal acts that are carried out online by individuals or groups using electronic communications networks and information systems. The Maltese Criminal Code, Chapter 9 of the Laws of Malta, states that the following actions are unlawful:

  • The unlawful use of a computer or other device or equipment to access any data;
  • The unauthorised outputting of any data or software in any manner whatsoever;
  • Unlawfully copying data or software to any storage medium where the data is not already held;
  • Unauthorised activities that hinder access to any data;
  • Unlawful disclosure of data or passwords; and,
  • The misuse of hardware.

Types of Businesses exposed to Cyberattacks

Any type of business involved in E-commerce is at risk of being attacked. Some examples of businesses include those involved in mobile commerce, supply chain management, electronic funds transfer, online transaction processing, Internet marketing, electronic data interchange, inventory management systems, and automated data collection systems.

Implications of a Cyberattack on a Business

The findings of the WBE report stress the importance of being well prepared in case of a cyberattack. Although the report states that Malta does not experience as many cyberattacks as its European counter-parts, the absence of preventative measures could harm businesses in the long-run. Some of the implications that may arise include a damaged reputation, loss of revenue, reduced financial performance, loss of productivity, loss of trust, and in certain instances, such as personal data breaches, enforcement by the authorities. According to the European Commission’s Special Eurobarometer report on Cybersecurity (published in 2015), users in Malta are most likely to visit websites that they already know and trust. This indicates that users based in Malta place a lot of trust in the websites and online services that they use, so upholding an untainted online reputation is a must. Furthermore, the Eurobarometer report also found that Maltese respondents are one of the most likely to purchase goods and services online. Users trust businesses with their important financial details and if these details are not protected, the implications have the potential to be particularly damaging to Maltese businesses.

Moreover, the General Data Protection Regulation (“GDPR”), which comes into effect in May 2018, imposes certain obligations of data protection and data handling onto data controllers and data processors. If these obligations are not met, the GDPR imposes heavy-handed sanctions on both controllers and processors when their systems are breached.

What to do if your Business has experience a Cyberattack

From a legal standpoint, should your system suffer a breach, there are certain procedures which need to be followed.

Under the Electronic Communications Networks and Services (General) Regulations, Chapter 399.28 of the Laws of Malta, where there is a significant risk of breach or an actual breach of security of the services or network, the provider must notify the Malta Communications Authority (“MCA”) without undue delay. In certain instances, the providers must also inform any users of the network or service. If deemed appropriate, the MCA will then inform regulatory authorities in other Member States and the European Union Agency for Network and Information Security (“ENISA”).

Similarly, the Malta Financial Services Authority (“MFSA”) encourages financial institutions to immediately report any security breaches to the MFSA, the Maltese Central Bank and in the event of a personal data breach, the Information and Data Protection Commissioner (“IDPC”).

Furthermore, the Malta Gaming Authority (“MGA”) encourages operators in the remote gaming sector to report any breaches or attacks on their systems. The report should be submitted no later than 24 hours following the incident and must be prepared in the form of a prescribed incident report form.

With the applicability of the GDPR in May 2018, all persons or entities considered to be data controllers, have an obligation to notify the IDPC of any personal data breaches suffered without undue delay and, where feasible, not later than 72 hours after having become aware of it. In certain high risk instances, the controller may also need to communicate the personal data breach to the data subjects. Following the enforcement of this Regulation, the obligation to report to the IDPC will no longer remain sector specific but will apply to all entities and persons processing personal data.

The WBE report can be found here -

The EU Cybersecurity Special Eurobarometer Report on Cybersecurity can be found here -