Cyber criminals are “making hay while the sun shines” during the pandemic, but regulators promise to be more understanding. What does that mean in practice?
An uncertain economic situation, financial volatility and a workforce working from home all make for a cyber criminal’s dream come true. The number of threats are growing and vulnerabilities are widening. Keeping data secure is more difficult than ever and this may have a number of compliance and regulatory issues for firms.
Home and mobile working
Most companies have dramatically upped their work from home provisions and they have done so with relatively little warning. Most professional people are almost as well connected at home as they are in the workplace. Broadband speeds are fast and people’s personal computers are generally high spec.
However, home networks will usually not be as secure as a company’s. In the home, you will have increased the number of endpoints coming into your central system which is like making lots of holes in the walls of a building. Even the most secure operation can become compromised.
In March, the UK’s National Fraud and Cyber Crime Reporting Centre reported that Coronavirus related frauds rose by 400% in March. This was said to be linked to the increase in home working. They have issued fresh guidance about the steps firms should take before moving to a work from home model.
Despite these challenges, the Information Commissioner’s Office has confirmed that firms will continue to face the same reporting obligations as always under GDPR. Privacy rights remain ‘paramount’ according to the watchdog which means breach notification rules still apply.
However, the regulator has said they will allow for flexibility given the unprecedented situation we now find ourselves in.
In a statement, the UK’s Information Commissioner, Elizabeth Denham said:
“We see organisations facing staff and capacity shortages. We see the public bodies facing severe frontline pressures. And we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach.”elizabeth denham
What this means in practice is that the regulator will be more understanding when considering action. It says it understands the operational challenges confronting companies including staff shortages, reduced operational capacity and financial constraints. They use this, they say, to foster an ‘empathetic and pragmatic approach’ throughout the pandemic including how enforcement powers are executed and what technical advice they take.
So what does this mean in practice?
Although they are being more flexible, data protection is still vital which means the rules around breach notification still apply. Any organisation which suffers a breach will still have to report it to the ICO within 72 hours of discovering it. Even so, they have ceased all audits and if the problem is caused as a result of the pandemic, they will take this into account. The commissioner appears wary of being seen to chase healthcare organisations while they are trying to save lives.
Any organisation which processes data will still have to pay their annual fee to the ICO, but will not prosecute any organisation failing to do so if they can provide evidence that they cannot pay due to the fallout from the pandemic.
Last but not least, any fines issued are likely to be lower, for all breaches. The ICO says it takes affordability into account before issuing any fine. Given the impact on companies finances, therefore, that is likely to mean any fine issued will be much lower than before the coronavirus outbreak.
Most importantly, this is no get-out-of-jail-free card. The ICO is being more flexible and it will be more understanding, but a company must still meet its obligations to safeguard data and report breaches. Failure to do so will still result in a fine.
More importantly, failure to take adequate measures will have much wider reaching consequences than just the wrath of the regulators. The ICO may be more understanding, but there’s no guarantee customers will be.
The move to a home working situation also makes your systems and the personal data of your customers more vulnerable. The reputational and financial impact of a hack will be just as high as always.