August 2014 update
Cyber-attacks remain a regular feature of news headlines. This month, reports circulated that Russian hackers have allegedly carried out the world's biggest ever data theft, amassing 4.5 billion user credentials.
The hack was identified by US security experts Hold Security and, if true, could be the largest publicised breach in history.
The hackers allegedly used a botnet network (a group of virus-infected computers controlled by one criminal system), which used victims' systems to identify weaknesses in websites they visited. The hackers did not have specific targets, rather they targeted every site that the victims' systems visited.
The names of the companies affected have not yet been released, but allegedly 420,000 vulnerable websites were exploited, including some household names. Of the 4.5 billion stolen records, it is estimated that 1.2 billion are unique. Reports from one insurer this week estimated that the attack could cost more than £1.4 billion.
Hacking attacks of this nature could involve multiple network intrusion events over a sustained period of time which each result in separate thefts and data breaches. These in turn could give rise to multiple first party losses and costs, third party claims and regulatory investigations. In light of the potentially huge exposures, cyber insurers would be wise to check their insuring clauses and aggregation wordings.
This incident should prompt insurers to review how their cyber policy limits and deductibles are applied. Are there aggregate limits, or do the limits and deductibles apply on an any one loss basis? Where there is provision for aggregation, does this apply to series of "events", "occurrences" or the same "originating cause". These factors will have a significant impact on insurers' overall exposure. If cover has been placed in layers, the position adopted on aggregation issues can generate tensions between different insurers, who may require independent advice.
Whether or not this Russian hack is genuine, it is yet another reminder that cyber security should remain a top priority for all companies as hackers engage in bigger and more complex tactics in order to harvest massive quantities of user credentials for financial gain. Companies should ensure that they have adequate security in place in relation to the amount of data they hold, and, very importantly, should have a plan in place to deal with a breach. Increasingly, companies should be preparing for the situation when, not "if", a breach occurs.
For DAC Beachcroft cyber updates, please follow us at @legallnutt and @hillegal1970
For DAC Beachcroft privacy updates, please follows us at @DACBprivacy
Click any of the links below to read more ...
UK Developments
§ European Commission issues communication on data driven economy
§ Enforced subject access request to become criminal offence
§ UK Government announces emergency legislation allowing the retention of telecommunications data
§ Law Commission publishes guidance on data sharing between public bodies
§ ICO releases annual report for 2013/14 releases
§ Legal analysis is not personal data
§ House of Lords sub-committee publishes dissenting opinion on the 'right to be forgotten'
§ Article 29 Working Party meets with search engines on the 'right ot be forgotten'
§ ICO published guidance on big data and data protection
§ ICO prosecutions
§ ICO monetary panel notices
§ ICO undertakings issued - July 2014
§ EU Data Regulation on "irreversible Road"
Updates from around the World...
§ Austria declares data retention provisions unconstitutional
§ Florida Information Protection Act comes into force
§ Singapore Personal Data Protection Act (PDPA) comes into force
§ Russia amends Privacy Bill and Introduces data localization requirement
§ Cookie law compliance inspections to commence in October
§ Belgium announces establishment of Cybersecurity centre
§ Vodafone India becomes first ever local telecommunications company to receive privacy accreditation
Key Dates Calendar
|
Key date
|
Issue
|
Action
|
|
1 December 2014
|
Enforced Subject Access to become a criminal offence
|
Review internal procedures to ensure they are not caught by the new provisions. Companies may also wish to ensure they are compliant to the extent that HR carries out criminal background checks for any new roles.
|
|
October 2014
|
French CNIL will investigate use of cookies
|
Ensure compliance with CNIL's guidelines published in December 2013
|
|
2014
|
Adoption of a final text of the Data Protection Regulation.
|
Watch for updates.
|
|
2014
|
ICO to publish Code of Practice on Privacy Policies
|
Watch for updates.
|
|
|
|
|
|
|
