This article originally appeared in City A.M. on 15 January 2016.
If 2015 taught us anything, it’s that it is now a question of when, not if, our data will be compromised. Therefore, 2016 must be the year that business gets serious about the importance of cyber security. From the chief executive down to the intern, everyone will need to see cyber security as a top priority and be aware of how their own actions could affect data security.
Recent high profile breaches have shown just how important it is for businesses and policy-makers to work together to develop an appropriate response to the challenges of cyber security. Failure to do so ultimately means that not only will data inevitably be compromised, but that the reputation of entire industries could be too.
Thankfully, the 2015 Autumn Statement showed that the government is starting to take cyber security seriously, with plans for £1.9bn to be spent on the area, an increase of 79 per cent over the last Parliament. We are told that this will support a number of initiatives, including the creation of a National Cyber Centre to “simplify and strengthen government effort” and “improve engagement with industry”, a new “programme of active defence” in partnership with the “major companies who form the backbone of internet services” to fight cyber attacks, and the provision of support for cyber businesses to nurture talent and drive growth in the sector.
Although these plans are not insignificant by any means, real developments in this area will only come from the private sector. For these initiatives to work, information sharing and the application of best practice between different businesses and sectors is key.
Other policy changes are making this even more important. At an EU level, long awaited reforms to data protection laws will mean that businesses need to take a hard look at how they are currently managing their data. The General Data Protection Regulation will lead to a number of new requirements for companies, including the need to proactively carry out privacy impact assessments regarding sensitive data, to appoint a data protection officer, and to notify the national data protection authority about a data breach within 72 hours of the business becoming aware of it.
Businesses can’t afford to ignore these requirements. Failure to comply could lead to fines of up to 4% of worldwide turnover.
Additionally, for the first time, complainants will now be able to bring a case to a data protection authority in their home country (in the UK’s case the Information Commissioner’s Office) regardless of where the company is based. In complex cases involving multiple EU states, a new Data Protection Resolution Board will coordinate.
Another step being taken at an EU level is the creation of the Network and Information Security Directive, which aims to ensure that the different EU regimes on cyber security are harmonised. The impact will be that “operators of essential services” (such as energy, transport, banking, finance, healthcare and water supply) will have to report serious security breaches. Member states are going to be tasked with concretely identifying these companies, based on whether the service is critical to society and the economy, whether it depends on network and information systems, and whether the incidents could have severe effects on its workings or on public safety. Some “digital service providers” (previously known as “internet enablers” and likely meaning online marketplaces, cloud computing services, and search engines) will also be tasked with reporting duties.
This emphasis at both a UK and EU level shows that data security is no longer an afterthought for politicians, and the changes that are coming mean that it can no longer be for businesses either. After all, data security underpins the continued development of the digital economy, protects intellectual property and our critical national infrastructure, and upholds consumer trust in business.