From deepfakes to GDPR, we offer our international experts' predictions on the opportunities and challenges that the cyber and data risk market may face in the coming year and beyond.
1. Artificial intelligence and deepfakes will be used by hackers to undermine cybersecurity
Artificial intelligence (AI) will usher in a new era of offensive cyber-attacks and defensive cyber security measures. Businesses are implementing AI as part of their cybersecurity defences to protect data and help thwart cyber threats. It is inevitable that attackers will equally look to the same technology to open new doors as quickly as they are closed. It may not be long, therefore, before AI cyber security becomes an arms race in itself. Deepfakes, the modification of images, video and audio recordings through AI so that they appear genuine, could pave the way for more personalised scams and frauds. Many cyber-attacks begin with a phishing email maliciously fooling individuals into disclosing credentials or authorising payments through emails that are surprisingly convincing. If hackers are able to utilise the sophisticated technology behind deepfakes, it is conceivable that they could mimic human voice commands by telephone so they appear to come from a trusted source. Rapid advances in AI are also raising new technological possibilities, particularly in the field of cyber security. Those companies that have the resources to access this technology may fare best in this new arms race. Unfortunately, those organisations that do not, risk becoming the new "low hanging fruit" for cyber attackers.
2. Big name IT providers may be the next hit for an ICO enforcement action
The GDPR introduces direct obligations on data processors (the party who processes personal data only on the instructions of the data controller). Although fewer and fewer companies' operations fall under processor activity, due to the narrow definition applied by the Information Commissioner's Office (ICO) in the UK and more and more sophisticated uses of data by service providers, the new liability which attaches directly to data processors means that in certain circumstances they can be sued directly by data subjects and fined directly by the ICO for data breaches. With many IT providers having much deeper pockets than their clients, we consider it possible that we will see a big name IT provider at the forefront of an enforcement action very soon.
3. GDPR: further action for incorrect use of data
The Information Commissioner's Office (ICO) has already issued its first enforcement notice under the GDPR concerning a company's incorrect use of data (Aggregate IQ, a data analytics company closely linked with Cambridge Analytica). This was not a monetary penalty, but we predict that monetary penalties for non-security GDPR breaches will follow. In 2019, we have already seen the ICO's notice of intent to levy significant fines on Marriott Hotels and British Airways for their security breaches. Our prediction is that the ICO and other regulators across Europe will wish to flex their powers and impose monetary penalties for a full range of GDPR breaches, not just those associated with security.
4. An Irish Perspective: There will be an increase in multiparty actions under the GDPR
The Irish Government introduced a Public Services Card which the Data Protection Commissioner (DPC) considered was in breach of the GDPR. The DPC concluded that the manner of information collection and retention on millions of citizens was unlawful and is planning to launch enforcement against the relevant government department. A civil liberties group plans to submit a legal complaint on behalf of over 1000 people. This matter is significant and has raised awareness in Ireland of multiparty actions due to breaches of data protection rights. This would also set the stage for the opportunities under the proposed Representative Action Directive.
5. An Australian Perspective: Malware will target information, public sector, education, healthcare, banking and professional services industries
New strains of malware, such as the trojan malware Emotet, are evolving and continue to expose organisations holding sensitive information to cyber-attack. The recent strain of Emotet was so widespread it triggered an investigation by the Australian Cyber Security Centre. Malicious emails, often containing attachments with viruses, will remain one of the favoured channels of attack for hackers. As the malware can spread very quickly through an organisation's network, it's critical that businesses respond quickly to contain and fix the problem. They also need to quickly assess information security and potential privacy breaches, as well as communicate promptly with employees and other affected stakeholders.
6. Insurers will invest heavily in tech, disrupting existing actuarial, insurance distribution and claims management activities
Insurers will continue to embrace tech for all of the myriad advantages it offers. We will see increased reliance on blockchain-enabled smart contracts being used across insurance categories to improve customer access, transparency and data security. Customers will use smart devices to directly interact with insurers' software bots, disrupting existing distribution and claims management activities with a service that is responsive, accurate and less costly. Insurers will also use big data and sophisticated analytics to model risk, predict claims outcomes, inform pricing decisions and minimise fraud. This will lead them to rely on an individual's data and the comparative set, rather than actuarial modelling. For insurers, backing the right tech, securing investment funding and managing privacy risks will be the key issues.
7. New NZ privacy framework will just be the start of legislative reform
New Zealand organisations will finally follow the rest of the OECD and brace themselves for notifying and managing data breach losses with its Privacy Commissioner regulator when the long-awaited legislative overhaul to the country's privacy framework commences on 1 March 2020. It contains a comprehensive suite of reforms, including modest fines, but more importantly mandatory reporting. Cyber and statutory liability insurance claims notifications and costs will escalate to meet those obligations. Even before the new regime is rolled out, the NZ Government has alluded to the fact that the "right to data portability" and the "right to be forgotten" represent data privacy best practice and could be introduced in an update to the privacy regime in the coming years.