This new age of privacy laws will not be kind to those who fail to comply. Organisations that mess up will no longer face just reputational damage, their negligence or lack of safeguards to protect their customers data will come at a financial cost. The Information Commissioner’s Office (ICO) has a range of corrective powers and sanctions, including the ability to impose fines of up to €20 million, or 4% annual global turnover.
>See also: Can GDPR implementation be weaponised?
From a hackers perspective, arguably very little changes – traditionally criminals tend to display disregard for the law. Beyond the onus for compliance being put solely on organisations, there is a fear that GDPR’s threat of fines will create new opportunities for hackers to exploit. Now that criminals know how much the data is worth, it creates an environment that almost favours the criminals, especially if the ransom costs less than the fine.
Ransomware is an obvious tool of choice for cyber criminals. It is a malicious malware that ‘locks down’, or encrypts a user’s or entire business’ files, meaning users can no longer access them. The fact that organisations will have 72-hour deadline to inform the ICO after detecting a breach, really helps as ransomware attacks need a deadline too.
The Uber hack is a very useful case study to demonstrate how hackers could operate under GDPR. The ride-sharing company is reported to have paid hackers $100,000 to delete the personal data of 57 million customers and drivers which was stolen from them. Furthermore, Uber stayed quiet about it.
>See also: Are companies ready as the GDPR deadline approaches?
However, as Uber learned the hard way, this is not the sensible route as it could create a ripple effect: the more businesses that pay up, the more other attackers will be spurred on.
The year 2016 was dubbed ‘year of the ransomware’, whilst 2017 was simply the ‘year of the cyber attack’ thanks to events like WannaCry, Petya and Bad Rabbit. Will the 2018 landscape be defined by cyber attacks complimented by GDPR? If so, companies are going to have to think about how they are going to address it.
When it comes to breaches, the ICO requires businesses to prove that they put adequate measures in place to prevent a breach. Thanks to the proliferation of zero-day attacks, whereby hackers exploit yet-unknown vulnerabilities, there’s still the possibility that a business will be successfully breached. But, by providing a robust cyber security strategy, businesses shouldn’t get punished.