Data Protection News Digest: in the headlines for March

Data Protection Digest: Our top three stories this month

March 2020 will go down in history as the month the world changed, as businesses and consumers came to terms with the impact of the coronavirus COVID-19. This month, our news analysis will have a special focus on the effect COVID-19 is having on data privacy, as well as a round-up of other stories that have caught our eye this month.

COVID-19 has major impact

Almost overnight, the UK became a nation of home workers. We have written previously about how businesses can take steps to protect data when their workforce is ‘out of office’, however, understandably, data privacy has come under increasingly intense scrutiny over the past few weeks.

In particular – as everyone rushed to install video conferencing apps – question marks were raised over how secure they were, particularly when the Prime Minister was pictured hosting a cabinet meeting via Zoom. Zoom, understandably, defended its security credentials, but uncomfortable claims continue to be made about how it is using user data, particularly after it had to update its iOS app to remove a code that sent data to Facebook.

Similarly, for consumers, the app Houseparty has surged in popularity, as people look for ways to stay connected to loved ones. Following reports it had been hacked, it responded with a strenuous denial, even offering a $1m ‘bug bounty’ to anyone that can prove otherwise.

Another impact has been the increase in cybersecurity attacks – unfortunately for some, a crisis is seen as an opportunity. This has led to the formation of an international group of nearly 400 volunteer cybersecurity experts to combat hacking and phishing.

Finally, many of us will have received emails from companies and services updating us on how they are responding to the coronavirus crisis. However, this means mistakes are happening - one housing association accidentally issued an email containing contact and personal details of residents. This demonstrates that, particularly during times of crisis, additional measures should be taken to protect consumer data.

Our view

As we’ve said, COVID-19 has forced a dramatic – and rapid – change in how many people do business, and it has been great to see how many businesses have been able to adapt. However, even during a crisis, companies must still abide by data privacy laws, particularly when encouraging the use of video conferencing apps such as Zoom. Although Zoom has been keen to stress their security credentials, our advice would be to ensure that nothing highly sensitive or confidential is discussed on these calls.

Government says that almost half of UK companies suffered a breach in 2019

The latest Cybersecurity breaches survey from the Department for Digital Culture, Media and Sport (DCMS) showed that almost half of UK businesses suffered a cybersecurity breach or attack during the past 12 months, rising to 68% of medium-sized firms and 75% of large enterprises.

Despite this, the DCMS was keen to point out that some of this increase could be attributed to a greater awareness of cybersecurity. They also highlighted the fact that organisations have become better at resolving an attack, with many saying they are now less likely to report negative outcomes and that they tend to recover more quickly.

Our view

Without doubt, as our lives and businesses have become more reliant on technology, the opportunity for cyberattacks – including phishing, viruses and malware – has increased. However, it is encouraging to see that organisations have also become more resilient and better at managing an attack when it does happen. The survey also revealed that eight in 10 businesses say that cyber security is now a high priority for their senior management boards – up from 69% in 2016 – which is really positive news. Cyber security AND data protection need to be board-level concerns.

Virgin Media faces £4.5m compensation bill after data breach

At the beginning of the month – before the true impact of coronavirus was being felt – Virgin Media admitted that a database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months, and that this information was accessed ‘on at least one occasion’ by an unknown user. The database contained phone numbers, home and email addresses. After it was alerted to the issue by a security researcher at TurgenSec, Virgin Media immediately shut down access, and reported the breach.

Now, lawyers representing those impacted say that the firm could face a huge compensation bill and GDPR fine in the region of £4.5m.

Our view

Although Virgin Media took the right steps when it became aware of the breach – it shut down access, contacted those affected to warn them about the risks of phishing, nuisance calls and identity theft, put advice on its website and reported the breach – the fact that the data was available for 10 months will most likely result in a major fine under GDPR, as well as significant reputational damage for the company. It is imperative for companies to be aware of how and where their data is stored so major breaches like this don’t go unnoticed for lengthy periods of time.

For more information on The Compliance Space, or to book a demo, contact us at https://www.thecompliancespace.com/book-a-demo