GDPR laws to protect individuals from data breaches have been in place for more than a year now and there has yet to be a significant fine handed out in the UK.
That does not mean there are no infringements waiting to be detected – or that regulators will not get tougher on companies once the honeymoon period becomes distant.
We asked six prominent business figures in Scotland whether they feel the business community is well prepared for the consequences of data breaches.
No – Catriona Garcia-Alis, senior associate at CMS
GDPR fines will be on many companies’ radar, but many have not considered class actions for compensation by the individuals affected by a breach. Currently, such actions are limited to claimants who choose to participate. However, in Scotland a new group procedure is being considered which could result in a US-style ‘opt-out’ process becoming available. This could significantly increase claimant numbers and inflate damages. Businesses should prepare by reviewing existing insurance provision and contractual indemnities.
Yes – Graeme Murray, CEO and founder of Amiqus
Data breaches hold consequences for even for the best prepared organisations, including the time and cost of internal investigation and required remedial action, involvement from regulators, reputational damage and any resulting private claims. Technology is part of the solution, but it isn’t a panacea. More than 40% of reported security breaches are caused by employee negligence, demonstrating the need to foster a culture of security and awareness.
Maybe – Mandy Hayburn-Little, chief executive of Scottish Business Resilience Centre
Ironically cyber security is rarely yes/no. We definitely have achieved some major milestones in Scotland and have the opportunity to be a real flagship nation. GDPR was a big wake-up call on systems security – in Scotland we have created some unique business models with business, academia and police and these are now being sought further afield. That said, media coverage of cyber attacks tends to focus on larger business breaches. It creates a false perception that SMEs are less likely to be targeted. The reality is quite the opposite.
No – Alan Greig, managing director of Net-Defence
Incident response plans are, in the main, non-existent, untested or not adopted at board level. Data breaches are incorrectly considered the domain of IT, whereas data comes in many forms – not just digital. In Q4 2018 only 14% of data breaches were cyber-related, whereas 50% were down to human error. Most people seem to still believe security is a technology risk, so we clearly don’t really understand the technology, nor the risk.
Maybe – Ross Foley, cyber security director for PwC Scotland
There have been great strides forward taken in the awareness and investment in information security across businesses of all sizes in Scotland, however it remains to be seen if this is enough. Organisations are still often reliant on “paper shields” and neglect to fully exercise their response plans, which should not just focus on the technical response but include everyone from your CEO to your social media team if you are to effectively respond to a breach.
No – Graeme Bryce, chief technology officer of Twasme
Businesses and customers mistakenly rely on account passwords and the HTTPS protocol to protect data. If the data is ultimately stored in a server database in a readable form, then it is at risk from hacking and from careless or malicious employees. The only truly secure way to protect data is to encrypt it at source using a key, or master password, that only the customer knows. This technique is known as “end-to-end encryption”.
