Reports that an extramarital dating site has been hacked recently may have given its customers more than the usual worry that accompanies news of cyber-crime.
And whilst the true picture for the internet daters continues to enfold, Ashley Madison’s problems are a reflection of a fast-growing area of crime, as more and more criminals exploit the speed, convenience and anonymity of the internet. The Metropolitan Police has recently announced it is boosting the size of its team to tackle cyber-crime and the Government has issued guidance for companies, in a bid to stem the range of criminal activities that know no borders, either physical or virtual.
For companies, cyber-criminals may attack the functioning of computer hardware and software, or try to commit financial crimes, such as online fraud or by penetrating online financial services, or go ‘phishing’ for confidential information. For company directors, the advice is to ensure the topic is at the top of the boardroom agenda.
As well as having to meet the requirements of the Data Protection Act and the Communications Act in the UK, also up and coming is the draft EU Data Protection Regulation and the proposed EU Cybersecurity Directive. There are requirements under the Companies Act 2006 also, which place a duty on directors to keep themselves informed on relevant issues. They may be held to be negligent if they do not take appropriate professional or expert advice to tackle any identified threats.
The key components for business are to undertake a risk analysis, develop a cyber-security programme, set in place the right policies and take appropriate technological measures.
“Every business must ask itself what value there is in information they hold electronically, for example, it may be intellectual property, customer information or client funds. Then they need to consider where the risk lies; as well as outside criminals, the risk could come from current or previous employees or competitors,” explained legal expert Mario Savvides of Grant Saw Solicitors.
“The response to that review should include a clear cyber-security strategy, with policies in place and staff well informed, backed up by a regular review and updating of technological practices.”
IT system reviews would range from how networks are monitored for attack and what firewalls and malware detection software is in place, through to how internal and external users are controlled and how access may be segregated or restricted.
“It can come down to the most simple things, such as who holds the passwords and making sure staff don’t open spam mail,” added Mario. “Thorough education of staff, with regular updates, is essential. As well as demonstrating that the company takes the matter seriously, staff are often in the front line, and if they are well informed of the risks, and encouraged to take responsibility, they can be more effective gatekeepers.”
http://www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime
http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime
https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-summary#steps-to-cyber-security-at-a-glance http://ec.europa.eu/justice/data-protection/
EU 1995 Data Protection Directive (95/46/EC)
This is not legal advice; it is intended to provide information of general interest about current legal issues.