This is the second article in the cyber awareness series. The series provides an insight into various aspects of good cybersecurity that should be incorporated into your day to day activities while online.
This article is primarily aimed at businesses but also important for individuals to understand their rights under some aspects of the data privacy legislation. If you missed our first article on establishing a good cyberculture it would be good to read it in the context of this.
We all want our data needs to be secure and managed in a way that protects our identity and our data. We want those who tamper with or attack our devices, systems and services brought to justice. We want harmful content online to be able to be removed.
We must protect the data we have on people and know what our responsibility is under the law.
Would you know which laws may be breached for the following actions below?
- using someone’s password or account to access information?
- store data in the cloud?
- collecting personal data?
- do marketing through email lists?
- collect information through your website or applications?
- take payments by credit or debit cards.
- have staff accessing personal information.
- not have appropriate security of your systems
Key data and cyber-related legislation affecting Northern Ireland.
- Computer Misuse Act 1990
- GDPR 2016 (EU General Data Protection Regulation)
- Data Protection Act 2018
- PECR - The Privacy and Electronic Communications (EC Directive) Regulations 2003
- NIS Directive
- EU Cyber Security Act.
- PCI DSS Standard. (this is not a legal requirement but if not implemented could lead to breaches in the law e.g. loss of personal data)
Without knowledge of the law and industry standards could result in you potentially breaking the very same laws established to provide protection.
Below we explain real-life examples of where security and data breaches have occurred.
The following breaches under the computer misuse act highlight why it is important to have security practices in place to help mitigate against these happening to you.
- A revenge attack of a person who had left the company was able to access the systems and email of the chief executive.
- Stealing personal information using colleagues’ log-in details.
- Hacking of Facebook account to access personal data, then sending inappropriate WhatsApp messages.
- Unauthorised access to information that they were not authorised to find out salaries.
Businesses have been fined under the Data Protection Act and General Data Protection Regulation for inappropriate security measures on their systems which have been storing or used to process personal information? E.g. Cathy pacific and DSG Retail Group.
If you store information in the cloud is it properly secured and encrypted so only you have access to it?
Accessing and Storing Personal Data
If you store personal data can your employee’s access this information without authorisation?
A local government employee at Walsall Metropolitan Borough Council was recently prosecuted for accessing social care records without authorisation.
The concept of bring your own device to work (BYOD) is popular in some businesses. This poses some questions and policy decisions that those businesses need to work through with those employees. Here are a few:-
- how is any personal data that is gathered for work purposes protected in accordance with the Data Protection and GDPR legislation?
- how can you ensure that data is only be used for the purposes it was gathered and consented to?
- how is the individual's personal and private information on their device protected from being inadvertently misused by the organisation?
- how is the device disposed of and who is responsible?
If you undertake marketing activities via email or telephone The Privacy and Electronic Communications (EC Directive) Regulations 2003 says that consent must be given to market and collect data electronically. In a recent case, an Information Commissioner’s Office (ICO) investigator stated that:-
“Firms providing marketing services to other organisations need to double-check whether they have valid consent from people to send marketing emails to them. Generic third-party consent is not enough and companies will be fined if they break the law.”
Similarly, telephone calls made to numbers registered to the Telephone Preference Scheme (TPS) have also seen firms being fined by the ICO.
The use of cash is significantly reducing with most payments now taken by credit or debit cards. If you are not compliant with industry standards in how you take card payments then you could be fined by your payment card provider or ICO.
The Payment Card Industry Data Security Standard PCI DSS, although not a legal requirement, is highly recommended to ensure that data is not compromised leading to fines from the card payment provider or from the Information Commissioner for a data breach.
Key cyber and data legal requirements and standards
What you can do to reduce your risk for each piece of legislation:-
Understand how these apply to your business. Understanding how this legislation affects your organisation and how other organisations have fallen foul of the law helps you to evaluate how to best mitigate it happening to you.
Training and awareness of staff. Impart key messages and actions (Do’s and Don’ts) to your employees. Use this article as part of that awareness activity.
Review and update Policies and Procedures. Review your policies and update, create in line with the legislation.
The Computer Misuse Act 1990
The Computer Misuse Act 1990 highlights the following actions as offences and many actions are fundamentally someone doing something without permission. The challenge is that on occasions some people can fall foul of this Act perhaps without even realising it.
The Act states that a person is guilty if he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured. If the access he intends to secure or to enable to be secured, is unauthorised; and if he knows at the time when he causes the computer to perform the function that that is the case.
The intent a person has to have to commit an offence under this section need not be directed at; a program or data of any particular kind; or a program or data held in any particular computer.
The offences fall into 5 main areas:-
- Unauthorised access to computer material.
- Unauthorised access with intent to commit or facilitate commission of further offences.
- Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
- 3ZA.Unauthorised acts causing, or creating risk of, serious damage
- 3A.Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA
The Act only requires that access to the computer in question must be unauthorised, and that the person gaining access must know it to be unauthorised.
GDPR and the Data Protection Act 2018
The General Data Protection Regulation (GDPR) applies in the UK, tailored by the Data Protection Act (DPA) 2018. This general data protection regime applies to most UK businesses and organisations, with a few exceptions.
The ICO is the regulator for GDPR and the DPA, and is a good source of information and support. A lot more detail and guidance can be found on the ICO website.
GDPR has seven principles that should lie at the heart of your approach to processing personal data:-
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Lawful Basis for Processing
You must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is better or more important than the others – deciding which basis is most appropriate will depend on your purposes for processing and relationship with individuals.
GDPR provides rights for individuals, such as the right to be informed, the right of access, and the right of erasure: These rights are not absolute, and are dependent on the lawful basis you process personal data under.
Your role as a business
Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals. Your obligations under GDPR will vary depending on whether you are a controller or processor of data.
It is also important that your processes and systems are designed to comply with the data protection principles and, can deal with any individual’s rights to request information.
GDPR introduces a duty on all organisations to report certain types of personal data breach to the ICO. You must do this within 72 hours of becoming aware of the breach, where feasible.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the ICO and/or the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
It is worth noting that data controllers must pay a data protection fee to the ICO, unless they are exempt. There are three tiers of fee ranging from £40 to £2,900. You can find out how much you may need to pay by taking a self-assessment.
The Privacy and Electronic Communications (EC Directive) Regulations 2003
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.
Also, for businesses marketing by electronic means, there are requirements on ensuring that permission has been received by the recipient to receive this material,
Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:
- market by phone, email, text or fax;
- compile a telephone directory (or a similar public directory)
It is important since May 2018 that consent is obtained for any electronic marketing and that opt out services such as the Telephone preference scheme (TPS) and Corporate Telephone Preference scheme (CTPS) are consulted before engaging.
There are additional obligations for network providers and Internet Service providers.
Network Information Systems Directive 2018 (NIS).
The NIS legislation is intended to establish a common level of security for network and information systems. These systems play a vital role in the economy and wider society, and NIS aims to address the threats posed to them from a range of areas, most notably cyber-attacks.
Although NIS primarily concerns cybersecurity measures, it also covers physical and environmental factors.
NIS applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). There is a general exemption for digital services that are small and micro-businesses unless they are part of a larger group or are controlled by larger organisations.
There are a number of regulators, or Competent Authorities under the legislation, for different areas of the legislation. The ICO is the NIS ‘competent authority’ for RDSPs and the Northern Ireland Competent Authority for OESs sits within the Department of Finance. A list of Designated Competent Authorities for OES can be found in Schedule 1 of the legislation.
RDSPs are organisations that provide specific types of digital services: online search engines, online marketplaces and cloud computing services. To be an RDSP, you must provide one or more of these services, have your head office in the UK (or have nominated a UK representative) and be a medium-sized enterprise.
OES are organisations that operate services deemed critical to the economy and wider society. They include critical infrastructure (water, transport, energy) and other important services, such as healthcare and digital infrastructure.
In the UK, the designation of organisations as OES has to be achieved through setting definitions and thresholds in legislation relating to the scale of an organisation’s operations. These thresholds can be found in Schedule 2 of the legislation.
Organisations that meet those definitions and thresholds are automatically designated as OES. There are legislative obligations on organisations designated under the NIS directive as an RDSP or OES and these organisations should familiarise themselves with these obligations under the legislation.
EU Cyber Security Act 2019
The EU Cybersecurity Act reinforces the EU agency for cybersecurity (ENISA) and complements the Directive on Security of Network & Information Systems (NIS)
Under the Act ENISA will be responsible for an EU certification framework for ICT digital products, services and processes. The European cybersecurity certification framework enables the creation of tailored and risk-based EU certification schemes. The cybersecurity risk may refer to a certificate of three assurance levels (basic, substantial, high) that are commensurate with the level of the risk associated with the intended use of the product, service or process, in terms of the probability and impact of an incident.
Companies providing products, services or processes into European countries should be aware of this Act and the potential for complying with any certifications developed through ENSIA.
Health and Social Care (National Data Guardian) Act 2018 (England and Wales only.)
Although this Act does not apply to Northern Ireland it has been included for any businesses who may be providing services to Health Care in England or Wales to be aware of.
This Act is specifically relating to the processing of health and adult social care data
PCI DSS – Payment Card Industry Data Security Standard.
The PCI DSS although not a legal requirement in the UK is a standard put in place by the Payment Card industry to protect against data loss and fraud and essential for many businesses to have to operate securely.
Having the PCI DSS controls in place limits a business potential to have a data breach, which is a legal requirement under DPA 2018 and GDPR and potentially be levied fines by the businesses card scheme provider for not being PCI DSS compliant.
PCI DSS compliance is achieved through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
The payment standard has 12 high-level requirements which fall into the six categories many of which are good cybersecurity practices anyway:-
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Protect stored data (use encryption)
- Encrypt transmission of cardholder data and sensitive information across public networks
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses Information Security
The NI Cyber Security Centre encourages business to seek appropriate legal counsel where necessary.