Member Article

Businesses must learn from unprecedented Yahoo hack

Lawyers at national law firm Clarke Willmott have warned businesses to assess their data security policies after what is thought to be the largest data breach in history at Yahoo, especially in light of the new General Data Protection Regulation (GDPR) due to come into force early in 2018.

Yahoo users - who were probably already feeling uneasy after September’s reports of a data hack dating back to 2014 affecting 500 million accounts – are likely to be even more unhappy in the light of this week’s revelations about another, earlier, hack dating back to 2013 and affecting an estimated one billion accounts.

Although Yahoo claims this data does not include payment details, the suggestion that sensitive data belonging to one of the world’s largest technology companies has been compromised on such an enormous scale will have put many businesses on edge.

Susan Hall, an Information Technology lawyer at Clarke Willmott LLP, said: “However embarrassing the breach is for Yahoo, they can be glad this has happened now and not in 15 months’ time, as new, more stringent regulations are due to come into force in May 2018.

“Given that last year’s Talk Talk data breach resulted in a £400,000 fine, if Yahoo should be found to have been negligent or reckless in their approach to data security they would currently be in line for a fine of up to £500,000.

“But under the new GDPR fine structure, with a maximum fine of 4% of global turnover, they could have been in line for a fine of hundreds of millions as opposed to hundreds of thousands. “In addition, the new rules will mean that companies won’t be able to delay reporting data breaches, being obliged to report hacks within 72 hours. Even under the current rules, eyebrows are likely to be raised about the 18 months Yahoo appears to have taken to investigate and then announce the breach.

“Another change the GDPR will bring in is liability for companies based outside the EEA in respect of loss or damage to the data of data subjects located in the EU.”

The new GDPR rules will not only affect large companies such as Yahoo and Talk Talk, but will also pose a challenge to smaller businesses.

Susan Hall proposes four key steps for businesses preparing to step up their data security in anticipation of the harsher new regulatory regime.

• Ensure that there is a senior officer in the organisation whose responsibility is to deal with data security issues and make sure that they are given Board support and that data security is treated as high priority.

• Take expert advice from a reputable IT consultancy as to identifying and analysing your security vulnerabilities. This can include hiring specialist firms to ‘penetration test’ your computer system for vulnerabilities that a hacker could exploit. IT lawyers work closely with their clients and specialist consultants in assessing data security risks and putting in place policies, training and appropriate contracts with IT suppliers to plug security gaps. Any form of outsourcing can be an area of risk, so if you are planning this, it’s essential to cover the data security aspects.

• Create a plan in the event of a security breach and ensure that it is kept up to date and everyone is aware of their responsibilities under it.

• Put in place policies to deal with remote working, Bring Your Own Device and mobile working, and keep them under review.

This was posted in Bdaily's Members' News section by Clarke Willmott .