By the end of the year will the United Kingdom of Great Britain and Northern Ireland still be a member of the European Union? David Cameron has been performing a charm offensive, coupled with good old fashioned diplomacy and negotiation in order to develop a refreshed relationship with our continental cousins. Will it work? Will there be a referendum in June? Will we be ‘in’ or ‘out’?
As both the ‘yes’ and ‘no’ camps of this decision, start to develop their communication plans in order to win our vote, will any of them consider what effect our future relationship with Europe may (or may not) have on cyber security.
There is proposed European legislation that is expected to come into force in 2018 that will make the reporting of cyber breaches mandatory, without exception. If you lose data, if data gets stolen, then you will have to perform a technical walk of shame and face investigation and potentially large fines. If we were not in Europe this legislation would not be applicable to UK businesses, is that good or bad? Immediately there could be a sigh of relief from many in the board rooms that as they continue working on a cyber strategy, knowing that if a bit of data here, or a bit of data there goes walkabout then it can be swept under the boardroom carpet and not worried about.
The UK law as it stands is that all companies are bound by the Data Protection Act of 1998, which states that all companies have a duty to take ‘appropriate technical and organisational measures’ to protect data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Sounds easy eh? But just remember the date on this: 1998 – long before the internet took hold, long before mobile phones became smart and a time when billionaire Facebook founder Mark Zuckerberg was still just the tender age of 14. The Data Protection Act needs, shall we say, updating! The Information Commissioners Office uphold the act and where necessary perform investigations and can issue fines. However, they can only investigate what they know about, so again if that laptop a colleague left in a restaurant has ended up in Cash Converters and its sensitive contents are now being peddled around the deep recesses of the dark web – then who is to know!
I’ll put a stake in the ground now on this point. I’m in favour of the EU legislation. If I as a consumer, as a citizen, hand over sensitive data about my person, my life, my family or my finances then I expect it to be protected. If it’s not and that bond of trust has been broken and they are complicit in their legal responsibility then irrespective of the organisation – from a school, a retail outlet to a government department – I expect them to be brought to justice. The challenge (as always) is convincing organisations that the intangibility of data needs to be overcome and has to be seen, understood and treated in the same was as more physical elements in the business. If a company has not implemented the necessary safeguards to protect its customers and this negligence led to physical harm – would you want to give them your business? Perhaps not. So if the same company had not implemented the necessary safeguards to protect its customers and this negligence led to mental harm (through a stolen identity due to a data breach) – would you want to give them your business? So if they were forced to declare such activities, as stated by this legislation, then consumers would be more educated on the relative safety of their data.
If you widen this discussion and ask how pulling out of Europe and by association this mandatory data breach notification legislation, would have on the UK’s global competitiveness. If companies in Germany that were bound by this new legislation started promoting themselves as ‘cyber safe’ does that give them an advantage on the global business stage over a UK company that is not bound by the legislation? Around the dinner tables of the UK conversations are often had on which countries are honorable and trustworthy to deal with and those that are not. Would a ‘cyber safe’ Europe be more or less attractive to global investment in comparison to the UK ‘doing its own thing’? The answer – I don’t know. If we stay, we will be legally obligated by this legislation, if we go would the Government have the necessary teeth to significantly update The Data Protection Act to ensure we are on a level playing field with Europe?
As a final note, President Obama is currently planning to spend $19 billion for cyber security across the U.S. government, an increase of $5 billion over this year in fiscal 2017. He is aware that becoming cyber safe is good practice for a country as whole. Europe is following. If we leave the European Union can we convince the US and others that we are as safe to work and trade with as the remaining members? I just wonder if the ‘yes’ and the ‘no’ camps will have an answer for us in the coming months of campaigning.