UK Data Breach on the Rise: How Can Employers Protect Themselves?

0
65
Photo Credits: Shahadat Rahman via Unsplash

A recent analysis by law firm Nockolds has shown that the possibility of a data breach in the UK has risen by 41% in 2023; the highest they have been in five years. Read on to learn more about the current statistics and ways in which employers can protect themselves against breaching data protection laws.

UK Data Breach: 57% Increase in Leaked Employee Data Since 2022

A UK data breach is unauthorised access to, or loss, destruction, or alteration of personal data. Personal data is information pertaining to an individual that enable them to be identified, which includes their name, identification details, and even their address. Common ways in which UK data breaches occur are:

  1. Via gaining unauthorised access,
  2. Sending information to the wrong recipient,
  3. Theft of devices, and
  4. Intentional or accidental actions or omissions by an employee.

According to Nockolds’ analysis, the Information Commissioner’s Office (“ICO”) received 3,208 reports of employee UK data breaches in 2023, an increase from 2,279 in 2022. Further, the analysis reveals that there were 554 ransomware attacks targeting employee data in 2023, a 57% increase compared to those which took place in 2022.

More Priority Needs to Be Given to Employee Data Security

Nockolds’ principal associate Joanna Sutton stated that while there has been an increased emphasis on data security, hackers still find a way. She further adds, “It is clear from the surge in employee data breaches that organisations need to give higher priority to data protection. Employees are more likely to be understanding about a data breach if rigorous protocols are in place and adhered to.”

Read: Post Cyber Attack, Boots, BBC and BA Receive Ultimatum

Earlier this month, the Ministry of Defence was subjected to a cybersecurity attack targeting the data of military personnel via a third-party payroll system. Personal data which was obtained included the names and bank details of an unknown number of armed forces members, both past and present.

The identity of the person or people responsible for the attack has not been disclosed, and it remains unclear what the personal data obtained may be used for. This is just the latest in a number of high-profile UK data breaches which has many employers worrying that they might be next.

ICO Deputy Commissioner Advises Implementing Basic Cybersecurity Measures

Given that the vast majority of businesses rely on IT systems, to varying degrees, to enable them to function, and the fact that data is now considered a highly valuable asset, the importance of cybersecurity is correspondingly higher than ever before. Moreover, under data protection laws, it is a legal requirement for businesses to have “appropriate technical and organisational measures” in place to protect the personal data they hold and prevent a UK data breach.

Additionally, the potential for catastrophic effects on a business’s operations and critical infrastructure by cyber-attacks can have significant cost implications. The ICO has the power to impose substantial fines for UK data breaches, of up to £17.5 million or 4% of an organisation’s annual global turnover (whichever is higher).

Those individuals whose personal data has been affected could also choose to bring claims, for which they may be awarded damages. In addition to possible financial consequences, a UK data breach can often also result in negative press attention which could lead to reputational damage.

Read: ICO Publishes Employee Monitoring Guidance: Key Points For HR

ICO Deputy Commissioner Stephen Bonner has emphasised the importance of having basic cybersecurity measures in place, stating there is no excuse not to implement them. He adds, “People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure”.

How Employers Can Protect Themselves from a Data Breach

Ideally, employers should aim to put in place a combination of cybersecurity measures to provide as much protection as possible against a UK data breach. To combat the wide variety of cyber-attack techniques now being employed by hackers – from fishing attempts to the deployment of malware – the protective practices of businesses must be at least equally broad. The government has published “10 Steps to Cyber Security” in an effort to assist employers in achieving this.

Technological Data Protection Solutions

From a technological perspective, it is important for employers to ensure that they have adequate network firewalls, anti-virus software, and cloud backups in place. They might also consider measures such as two-factor authentication, separate wi-fi connections for employees and visitors, Virtual Private Networks, and frequent software updates. Restricting administrative permissions within the business and monitoring users are also advisable steps.

Policies To Combat UK Data Breach

Of equal importance is establishing and implementing protective policies and practices across the business. With the majority of UK data breaches being caused by human error, promoting employee awareness and providing effective training are crucial to cybersecurity. Ensuring that employees are aware of the risks of cyber-attacks and UK data breaches and what they can do to help prevent these and keep personal data secure is paramount, as is putting in place procedures which should be followed in the event of a UK data breach, such as reporting mechanisms, reactive safeguards, and mitigation methods.

The ICO has recently published guidance in which it provides practical advice for the steps to take to maximise cybersecurity and avoid a UK data breach.

Read: Is EY’s Employee Monitoring Method “Too Controlling”?

What To Do in The Event of a UK Data Breach

Upon becoming aware of a data breach, an employer must immediately take action to limit the breach and implement appropriate remedial measures to prevent a recurrence. They must also keep thorough records of the breach, including the facts of the case, its effects, and any remedial measures.

In some cases, under data protection laws, businesses will be required to report a UK data breach to the ICO within 72 hours of discovery. Otherwise, they risk receiving a fine of up to £8.7 million or 2% of their annual global turnover (whichever is higher) for failing to do so. This could be the case if the data breach is likely to put an individual’s rights and freedoms at risk, with consideration of all facts and the potential impact of the case. Employers may also be required to notify affected individuals of the UK data breach, although there are exceptions to this rule.

The ICO has published guidance on UK data breaches and what to do in the event of one. The guidance talks about risk assessments, which breaches must be notified to the ICO, and what information must be provided to individuals whose personal data may have been compromised. ICO’s Stephen Bonner advises, “If you do experience a cyber-attack, we always encourage transparency as your mistakes could help another organisation to avoid a similar breach.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here