Source: Insurance business Magazine
They may not have the buzz around them that ransomware attacks do, but accidental data breaches remain a major cause of loss for companies, and with General Data Protection Regulation (GDPR) coming, businesses need to shape up.
“Hacking, and ransomware in particular, has been getting a lot of airtime recently. But a large proportion of the incidents we deal with involve non-malicious activity,” Raf Sanchez, international breach response service manager at Beazley, told Insurance Business.
A recent report from the insurer found that while instances of hacking and ransomware continued on an upward trajectory during the first half of 2017, remaining the leading cause of breaches, accidental breaches came in a close second.
“Unintended disclosure or accidental breaches can be physical – so literally leaving a pile of reports on a train – or they can be virtual – either by errors like sending an email to the wrong person, or attaching a document that you didn’t mean to attach,” Sanchez explained. “There’s a huge range of ways in which data can be leaked from an organisation and attract either penalties or regulatory sanctions.”
But despite the high risk of an organisation experiencing an accidental breach, far more attention is paid to the more headline-grabbing subject of hacking, particularly as well-known companies continue to be targeted.
“Unintended disclosure is not the sexy thing that people like to post about in terms of technology vendors and things, but it’s a massive issue because you’ve got more and more people using their own devices,” Sanchez commented. From BYOD – ‘bring your own device into the office’ – to the erosion of the traditional firewall and the rise of people working remotely, “there’s a just a lot more data floating around and a lot more possibility for it to go astray,” he said.
And with the GDPR set to come in next year, many businesses need to take note.
“The game changer in Europe and the UK is the GDPR, which does include mandatory notification for all types of data breach, including unintended disclosures or accidental data breaches. So that really does change the environment. Now it’s going to be a matter of public record,” Sanchez explained. “Really, at the end of the day, that’s what people are worried about. Yes, there is the reputational issue if an accidental breach gets into the public eye, but what most organisations are really worried about is having to report such a loss, and having regulatory scrutiny over their activities.”
Smaller organisations that may have previously thought that data protection laws were not aimed at businesses of their size may be in for a shock, according to Sanchez.
“If you look at the enforcement actions the UK regulator has taken, a lot of it has been at the SME level, with £50,000 to £100,000 fines. They’re not actively targeting very large enterprises, they frankly are finding that it’s the smaller end that have not taken these legal obligations seriously.”
So how can businesses prepare for what Sanchez admits is a “high-level” piece of legislation?
“Obviously insurance is one element, because cyber insurance policies, like Beazley’s Breach Response Services, that do a service element can provide some element of training… But the regulators and the law are really looking at a holistic approach. They’re looking for a mature, enterprise-wise, senior-level programme of work that will demonstrate that an organisation has actually taken on board the obligations in the GDPR.”