The cost of Penalties, fines and settlements that occurred in the last decade around cyber security and data compliance came to a total of USD 1,45 billion, calculated from fines by the US FTC and European Data Protection Supervisory Authorities such as the UK ICO and France CNIL.
These hefty wrist-slaps are regulators’ proof of the effectiveness of sanctions, and have made compliance management an imperative necessity for companies dealing with data. The biggest violations were:
British Airways: USD 328 million for the violation of protection obligations after the hacking of payment card information for 500,000 users.
Marriott: EUR 110 million for the violation of protection obligations after the hacking of sensitive information for 383 million users.
Google: USD 50 million by the French supervision authority CNIL for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”.
An estimated USD 6 trillion in damages has resulted from destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm over the past 10 years. 2018 McAfee report estimated USD 600 billion annually and rising (https://www.mcafee.com/enterprise/en-au/solutions/lp/economics-cybercrime.html).
The following were targets of the largest or costliest hacks – either criminal or state-sponsored, and their size or experience proved that there’s no denying the possibility of a breach: it’s a matter of when, not if.
Target (2013): Malware on POS system helped hackers collect payment card information from 40 million users.
MtGox (2014): 850,000 Bitcoins (worth just over USD 6 billion at time of writing) were hacked and stolen.
Yahoo (2013 / 2014): 2 Breaches. The discovery of a breach impacting 500 million users in 2014 opened an investigation that revealed another prior breach that occurred in 2013 impacting 3 billion users – Yahoo’s entire userbase.
Equifax (2017): Software patch failure leading to the leak of credit information for 145 million users mostly from the US, the UK and Canada.
Ashley Madison (2015): Hacking group the Impact Team leaked personal data on over 30 million users, exposing dirty laundry which lead to extortion and multiple suicides.
Ukraine power grid (2015-2016): Attack on power grid control network, causing power outage during winter in 2015.
It seems that hacking has not become more sophisticated over the last decade as the bulk of hacking events are still targeted at the classic weakest link in IT security: the human factor. Individual hackers also do not require technical dexterity as common hacking tools require no coding or in-depth tech knowledge. Ransomware is now available as a service (also known as RaaS), as is deepfake software. Hacking has become as easy as sending email or using a Trello board, requiring no coding at all.
A deep-faked call was used to impersonate a CEO and trick a subsidiary CEO into a fraudulent transfer of EUR 220,000 (https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402)
Identity theft of a former French minister was used to obtain EUR 80 million (https://www.bbc.com/news/world-europe-48510027)
Celebgate/The Fappening (2014): Fake password reset emails were used to obtain Gmail or iCloud accounts of celebrities leading to leaked sexual photos and videos.
WannaCry: 200,000 Computers were infected including healthcare, industrial production and office computers.
NotPetya: USD 10 billion in damages was generated due to operational and production loss with affected computers and servers.
Heartbleed (publicly disclosed in 2014): Security flaw on SSL allowed hackers to obtain cryptographic keys from servers to penetrate servers and decrypt traffic.
Mirai revealed the world’s biggest army of botnets used for DDoS doesn’t come from computers or servers, but innocent-looking – and poorly secured – IoT devices, such as smart fridges, smart lamps, smart anything really.
Understanding that data protection and privacy deserve a healthy environment for both the user and the State, regulators have stepped up to formulate comprehensive legal frameworks of compliance for data operators, with adequate sanctions upon violation.
EU GDPR: 25 May 2018, regulations protecting personal information of users located in the EU or processed by data controllers located in the EU
US CCPA: 28 June 2018, regulations around privacy rights and consumer protection for users located in US California
PRC CSL: 1 June 2017, regulations on the full spectrum of network security, data protection and data privacy, including non-personal information, introducing the notion of critical information infrastructure and paving the way towards internet sovereignty.
Previously obscure jargon, these few words have risen up in the last decade to become commonplace in conversations in the C-suite and by the general user.
Personally identifiable information (PII): Any information potentially identifying a specific individual. Gap between tech and regulatory: some device information can be considered as PII, such as IP, MAC address, or IMEI number. In some jurisdictions (US California, PRC), non-personal data can become PII when taken in combination.
Sensitive personal information: Defined by the effects on its owner by potential loss, namely harm, embarrassment, and unfair treatment. The definition is still broad, greatly varying from one jurisdiction to another and presents non-negligible compliance risk for data operators.
Cookies: Small file sent from a website and stored on the user’s device, useful for the website to remember behaviour, preferences and history. Although designed to personalise the browsing experience, cookies have gained a bad reputation when either collecting a broad range of behavioural information, sharing such information to third parties for commercial purposes and not disclosing the previous two.
These definitive events in the decade of 2010-2020 shed light on how cybersecurity, data privacy and protection has direct impact on end-users, not only corporate back offices. Over the course, these 3 major trends emerged:
- 1.Even unsophisticated hackers can achieve major damage using easily accessible hacking tools.
- 2.Regulators are largely on the backfoot, responding only after incidents occur and with limited legal frameworks and sanctions.
- 3.Organizational updates of OT/IT security teams and processes are not standardized, leaving them vulnerable to both hackers and regulatory liability.
As the Good, the Bad and the Ugly finally meet for their Mexican standoff, these 3 main trends shaping the cybersecurity landscape will collide relentlessly in the coming years.
So, what shall we look out for in the coming decade? Stay tuned for our 2020-2030 predictions.
The TL Group is a team providing tech and legal services.
The alliance between Leaf, a law firm, and TekID, a Data intelligence firm, is providing a comprehensive cyber security and data management offering which will help you enhance your security with a holistic approach. This team of cyber / data experts and lawyers can offer services to companies and managers such as compliance audits and programs in cybersecurity, structuring deals involving data assets, understanding and managing the life cycle of data and the associated risks, forensic investigations, among others.
This publication is provided for your convenience and does not constitute legal advice. Please talk to your Leaf contact before acting upon the information provided. Leaf paralegals and attorneys are available to advise you on specific queries. If you have any questions, please contact us via email: email@example.com or phone: (+86) 21 6233 7226. You can also find information on our website: www.leaf-legal.com