|Online consent scam outlawed in fight over personal data|
|Automatically ticked consent boxes that allow companies to harvest and exploit valuable personal information are to be banned in an overhaul of consumer protection laws for internet users.
DNA profiles and browsing histories are also to be included in a new definition of personal data, with companies facing criminal prosecution if they fail to protect users’ identities, report Francis Elliott and Mark Bridge.
Ministers will today spell out the details of a Data Protection Bill to be introduced in the Commons next month. It will include the right of adults to request the deletion of social media content they posted as children.
While that measure was expected, ministers will say that they intend also to expand the definition of personal data to include IP addresses and cookies. Matthew Hancock, digital policy minister, said that the bill would contain the most robust, yet dynamic, data laws in the world. “It will give people more control over their data, require more consent for its use and prepare Britain for Brexit,” he added.
Experts said that it could have far-reaching effects on companies that trade in anonymised data harvested online. Some offer cheap genetic tests for genealogy and then sell the information to medical researchers.
SRA issued important IT security facts
£1 billion was lost to business from online crime (2015-2016)
£2.3 billion was lost by global businesses from email fraud (2013-2015)
75% of cybercrime reports to us are Friday afternoon fraud
£1.57 million was paid by businesses in ransoms (2016: Q1)
43% of all cyber attacks are aimed at small businesses
9 security breaches in 2015 featuring more than 10million personal records being exposed
Leading experts discuss cybersecurity risks to coincide with our spring update to the Risk Outlook.
There was general agreement that law firms are an attractive target for criminals not only because they can hold large amounts of money but also valuable client information. Three key themes from the roundtable were that:
- Too often cybersecurity is viewed as just an IT risk. It is a business risk that requires engagement and ownership at a senior management and Board level. Training staff is important, but businesses also need to develop a culture where cybersecurity is treated as a serious priority.
- People and processes are as crucial as technology. Law firms should consider having rigorous and unambiguous procedures for when clients notify them of any changes to their personal information or bank details during a transaction.
- The use of unsupported software increases an organisation’s vulnerability. In addition to addressing this risk, businesses should also consider the benefits of implementing Cyber Essentials – a Government-backed scheme to help organisations protect themselves against common cyber attacks.
Our roundtable involved leading agencies and experts from a range of sectors to discuss how businesses can tackle the risks of cybersecurity. As well as us, there were representatives from the Information Commissioners Office, Barclays, Advent IM, National Crime Agency, IASME & UK Cyber Forum, bgi.cyber.uk ltd, Pelican Underwriting, QBE Insurance, Cyber Strategies, PA Consulting and Microsoft.
The roundtable coincides with the publication of our spring update to its Risk Outlook, which highlights seven priority risks for the legal sector. It shows that three quarters of all cybercrimes reported to us involve email modification fraud. Half of all such reports are email modification frauds against conveyancing proceeds. It says any field of work which involves client money is at risk, with probate another common target.
We are committed to taking a constructive and engaged approach with firms when they fall victim to cybercrime. However, the risk update does highlight that we will take action where firms are not proactive. For instance it has this year issued rebukes in cases where a firm has failed to report the loss of client money or been slow to remedy client losses.
Paul Philip, SRA Chief Executive, said: “We all benefit from information technology, but that means we are all vulnerable to cybersecurity risks. These risks evolve rapidly. Whether it is money or sensitive client information, law firms are an obvious target. It is the job of firms to take steps to protect themselves and their clients, but we want to help.
“So in addition to regular updates and conversations with firms, we also want to make sure we learn from insights across all sectors. It was clear from our roundtable how similar the issues are. By working together we will be in much better place to stay cybersecure.”
The update of the Risk Outlook is available here:
We published a detailed report into the IT security at the end of 2016:
Chancellor Philip Hammond released plans for a £1.9 billion cyber security Government strategy.
Key areas that all firms should be aware of include:
- Roles and responsibilities of businesses and organisations
- The National Cyber Security Centre (NCSC)
- Defend – plans to defend UK organisations
- Deter – plans to enhance deterrence
- Develop – plans to strengthen skills, training and technology
It is the responsibility as a business within a particularly vulnerable sector to keep abreast of developments and to be aware of the strategy, as well as ways you can implement any changes effectively.
To read the full National Cyber Security Strategy document, please click here.