WannaCry, Cyber Security and Data Protection

By now we are all familiar with the aptly-named WannaCry computer virus and the extensive chaos it has brought. Not only have hospitals and other healthcare providers suffered with cancelled operations and GP appointments, victims include telecoms operators, car assembly factories, university labs and public transport systems in over 150 countries.

What makes this attack interesting from a data protection perspective is that it underscores the need for organisations and businesses to keep their IT operating systems current and updated.

Back in March this year Microsoft announced that their operating systems were susceptible to a vulnerability, and offered a “patch” (think plaster over a cut except this is for computer programs) to cure the problem.

If an organisation updated itself in accordance with the software manufacturer’s instructions, the vulnerability would have been remedied and no damage would have been suffered.

On the other hand if an organisation did not update its systems and was hacked, this is likely to be a determining factor when establishing whether data protection obligations have been breached, especially when the vulnerability was announced and a readily available patch issued.

In addition we now know that some organisations, including over 40 NHS Trusts, continue to run on out-dated operating systems – crucially these are no longer supported or updated by Microsoft and no patch was available.

Questions will be asked why hospitals (which process sensitive data) are using unsupported and out of date operating systems which leave them particularly vulnerable to viruses.

The UK’s Information Commissioner Office which oversees data protection compliance in the UK has been quick to issue a statement making it clear that an open mind is being kept as to what steps it may take once the dust settles if breaches of data protection are found.

No doubt tough questions are going to be asked all round and if you are a data controller you will need the right answers.

One of the main obligations under data protection legislation is that personal data must be processed securely. However there is no “one size fits all” solution and no organisation can be 100% safe from cyber attack. If the Pentagon has in the past been hacked by a teenager in his bedroom, then it is safe to say that the potential exists for most, if not all, organisations.

What is important from a data protection perspective is to be able to demonstrate that the organisation has taken reasonable organisational and technological steps to safeguard its personal data taking into account:

  • the nature of the data they process;
  • the harm which might result from accidental or unlawful loss, destruction, disclosure or access to it; and
  •  the state of available technology and the cost of implementing it

It is important to understand that the Cyber Security measures expected will be different for each data controller, depending on the type of data they process – the more sensitive the data, the higher the threshold. As technology evolves, so too will the security requirements. Protection measures which were good 6 months ago, may no longer be good in 6 months time. Cyber Security is therefore a constantly moving target.

One of the lessons of the WannaCry outbreak is that it will reinforce the need for IT departments to keep on top of developments, react accordingly and keep their operating systems current, with appropriate safeguards in place including the use of continuous back up systems.

Make no mistake data protection is now serious business with offending organisations being fined substantial amounts of money.

Sony were fined £250,000 when their Playstation Network Platform was hacked in 2011 and telecoms operator TalkTalk £400,000 in 2013 for a similar hack.  Google Spain have also been fined an eye watering total of €900,000 for a number of privacy breaches.

If you think that’s bad, think again as fines are being taken up to a whole new level when the European General Data Protection Regulation (GDPR) comes into force in May 2018.

Under the GDPR fines for serious breaches will be increased to a jaw-popping maximum of €20m or 4% of a group’s turnover (whichever is the highest). Increased compensatory rights for individuals who suffer damage are also being introduced, meaning that organisations should not discount the increased prospect of also having to deal with third party actions where non compliance causes damage to individuals.

As Microsoft said in the aftermath of the outbreak, “WannaCry is a wake-up call”.

Organisations and businesses who fail to keep abreast of organisational, technological and legal developments will quickly find themselves at the wrong end of an investigation, with the possibility of hefty fines being imposed and having to defend third party compensation claims.

Michael Nahon is a Partner at Hassans International Law firm, and specialises in Data Privacy. He regularly advises multinational corporations as well as the local gaming and banking sectors on their Gibraltar data protection obligations. Michael also conducts data protection audits to assist clients in understanding their data protection obligations and develop means by which to ensure compliance. He is a contributing author to DLA’s Data Protection Laws of the World Handbook, PDP Journals and DataGuidance.