As you will no doubt be aware, over the past few days there has been a worldwide cyber-attack which has included a cyber-attack on the NHS.
Justice Secretary Michael Matheson said more than 120 public bodies were being contacted to ensure their defences were adequate. NHS systems were expected to be recovered by Monday and that patients with appointments should attend as planned.
The cyber-attackers used ransomware called WannaCry. The cyber-attack was caused by a simple email attachment, which when opened contained a virus. Anti-virus software will not often pick up these viruses as antivirus companies can only protect against viruses once they know about them. This means that there will be a period of time between the viruses being released and anti-virus software being updated where businesses will be exposed when a new virus is released.
Security experts have warned that more attacks are imminent. In this blog, we consider your legal obligations in relation to cyber-attacks and what you can do as a business to help protect from future attacks.
Chris Baraniuk of the BBC has reported that nearly half (46%) of British businesses discovered at least one cyber security breach or attack in the past year, a government survey has indicated. That proportion rose to two-thirds among medium and large companies. Most often, these breaches involved fraudulent emails being sent to staff or security issues relating to viruses, spyware or malware. The government survey reported that a sizeable proportion of the businesses still did not have the basic protections in place.
Paragraph 7, Part I, Schedule 1, Data Protection Act 1998 (DPA 1998) states that organisations that process personal data must take “appropriate technical and organisational measures” to protect that data against unauthorised or unlawful processing and against accidental loss or destruction of or damage to personal data. A cyber-attack would be considered to be a data security breach covered by the Seventh Principle.
There is no definition of what constitutes “appropriate technical and organisational measures” and there is no one size fits all solution for any business. Security measures must, however, be put in place by businesses and businesses must assess their risk in relation to data security breaches.
At a very basic level, businesses should remind their employees to be vigilant in opening emails and attachments from unknown sources. Employees should be reminded to consider whether they are expecting the email, whether they know the sender and whether they are expecting the email/documents. Employees should be reminded that if in doubt they should not open the attachments or emails and send to their IT department for review.
Businesses should carry out risk assessments on their business to look at how they can protect from cyber-attacks. The National Cyber Security Centre has published a guidance note on how to protect your business.
Businesses should set up a cyber protection policy and appoint representatives on their boards and in management teams to manage risk from cyber-attacks.
Annelie Carver, Corporate and Software LawBrief.
For further information on your legal obligations surrounding data security, you can consult with Annelie or any other of our Technology specialists by submitting a legal enquiry here.