Posted on

Business Centre Break-In and Data Protection

Padlock | Cybercrime Legal Services

Business Centre Break-In and Data Protection

If your business experienced computer theft, would the data you hold be safe?

The recent break in at Chichester Enterprise Centre is, sadly, one of many that happen daily across the UK. But this is more than an unfortunate inconvenience for the businesses based in the building. The implications can be astronomical. When computers are stolen data is immediately put at risk. Following the new General Data Protection Regulation (GDPR) legislation that came into force in the UK in May 2018, businesses and organisations, big and small, have an obligation to keep data safe.

Your obligations under GDPR

The introduction of GDPR saw the most important change in data protection law in 20 years. With it came new obligations and duties which organisations of all sizes are required follow to keep data safe. So, what do you need to do if your business ‘computers get stolen? How safe is the data stored on them? Is your business covered by cyber insurance?

Unfortunately, a staggering 60% of small to medium-sized businesses who experience a Cyber attack following a data breach. are forced to liquidate within 6 months of being Attacked!

The good news… this is preventable!

Would your business be covered if you suffered data theft?

If your business stores personal data such as names, email addresses, addresses, medical data or banking information, you need cyber liability insurance.

If your business relies on computers, communicates using electronic methods or has a website, you need cyber liability insurance.

If your business collects payments using a merchant card facility, you need cyber liability insurance.

Without this insurance, you could find your business facing both financial and reputational consequences.

A final word on GDPR and small businesses

GDPR legislation affects every business in some way. You might think your business is too small and is therefore immune to the new law, but you may be surprised. If your organisation has a website – and let’s face it, most do – you have legal obligations! You must display the correct legal documentation on your site for visitors to access and understand. Failure to do this could result in your business breaking the law, and ultimately receiving a fine or other punishment. It is far better to be prepared and to limit your liability in the first place.

Speedy action by Chichester Police force has resulted in the arrest of those responsible. Our thoughts are with those affected by the recent break-in at Chichester Enterprise Centre.  If we can be assistance in anyway please contact Owen Costen Head of Compliance Services.

 

 

Posted on

Do we need a Data Protection Officer?

DPO Note | Cybercrime Legal Services

Do we need a Data Protection Officer?

In 2018 we saw one of the biggest updates to data protection law in years, the General Data Protection Regulation (GDPR). With it came new obligations and duties which organisations of all sizes must follow.

One prominent update was the introduction of a duty to appoint a Data Protection Officer (DPO) if a company fulfils certain criteria.

Who is legally required to appoint a DPO?

Under new data protection law, a company or business must appoint a DPO if:

  1. They are a public authority/body as defined within Section 7 of the Data Protection Act 2018;
  2. Their primary activities (those being, the processing of personal data needed to achieve the key objectives of the company) require large scale, regular and systematic monitoring of individuals (such as online behaviour tracking); or
  3. Their primary activities require large scale processing of special categories or data, or data which related to criminal offence and convictions.

What is ‘large scale’? Whilst the law doesn’t define exact figures, it states a business must, when determining whether the process is on a ‘large scale’, consider:

  • The number of data subjects concerned;
  • The volume of personal data which will be processed;
  • The geographical reach of the activity;
  • The duration of the activity; and
  • The range of different items of data being processed.

Even if a business does not fulfil these criteria and does not legally need to appoint a DPO, it must ensure it is sufficiently staffed and resourced, with the applicable knowledge on hand, to fulfil its obligations under GDPR and other relevant data protection law. Since a DPO can monitor a business’s compliance and provide advice and support in fulfilling compliance, it is best practise to appoint a DPO even if not legally required to.

If a business voluntarily decides to appoint a DPO, they must abide by the same standards as a business legally required to appoint a DPO. If a business decides not to appoint a DPO, this decision and the reasoning behind it should be documented to demonstrate compliance.

What is a DPO?

A DPO will assist the company to monitor internal compliance with data protection legislation and guidance, and most importantly to inform and advise on the company’s obligations. A DPO will also provide any data subjects (a person for which the company holds personal information about) with a point of contact for any requests or concerns.

Their role will include organising staff training, raising awareness within the company of data protection issues, conducting internal audits, reviewing data protection policies and cooperating with the supervisory bodies.

Who can be a DPO?

A business can appoint an existing employee to be their DPO, or they can appoint someone externally. They must however, be completely independent with sufficient expertise in data protection and provided with adequate resources.

A DPO must be appointed based upon their professional qualities, particularly their experience and expertise in data protection law. Whilst the exact credentials expected of a DPO are not laid out by GDPR, a DPO is expected to have proportional experience and expertise to the level of protection the personal data will require. For example, if the personal data and processing of it is particularly risky or complex, the DPO’s knowledge should be appropriately advanced.

A DPO can have other roles within a company or businesses too, but they must not pose a conflict of interest with the DPO’s primary tasks and responsibilities. As DPO they must report to the highest management level at the company.

For small businesses or charities without the resources or knowledge in house to fulfil the requirements of a DPO, an external service is a useful solution to comply with GDPR. We provide an affordable service to enable all businesses and charities small to large with an expert and professional DPO. Read more here or get in touch for our packages and quotations.

Does a business have to follow the advice of their DPO?

A business does not have to always follow the advice of their DPO, however the decision and the reasons for making it must be documented to demonstrate accountability and compliance.

The DPO is not personally liable for data protection compliance, the company as the controller or processor remains liable to comply with relevant law.

Do the DPO’s details need to be published?

Data protection law requires a business to publish the contact details of their DPO and to provide them to the ICO. Details can be registered here.

Need more guidance?

Get in touch with our experts by contacting us at info@cybercr1me.com or 0330 365 1060, and we will be happy to help.

Posted on

What legal documents does a website need?

People holding document | Cybercrime Legal Services

What legal documents does a website need?

Every business with a website, must ensure they have the correct legal documentation on their website for their visitors to access and understand. Without these documents, the businesses may break the law, face fines or other punishment, or fail to limit their liability.

In a world where online scams are on the increase, having these documents adds credibility to a website and a business. Customers can become informed about how the business will keep their data safe, and trust in its transparency and customer service. This trust can earn the loyalty of customers and keep businesses ahead of the competition.

1.     Privacy Policy

All businesses, charities or sole traders processing, using, storing or sharing personal data must provide the individuals to which that personal data relates, with information about how that data is used. It has been law under the Data Protection Act, and now further requirements have been layered on top by the new General Data Protection Regulation. These requirements can be sufficiently fulfilled by providing customers, clients, service users and other individuals with a Privacy Policy, also known as a Privacy Notice.

Providing privacy information is not only fulfilling a legal requirement, but it is also a fantastic opportunity for a business to demonstrate high standards, trustworthiness, honesty, transparency and good customer service; to build a strong relationship with individuals so that they will continue to use its services or purchase its products.

In order to succeed in achieving this however, the Privacy Policy must be legally compliant, factually reliable, 100% bespoke to the businesses processes, in-keeping with the style of the website and marketing tone of voice, written for its audience (especially if they are children, parents or elderly) clear, easy to understand and transparent.

2.   Cookie Policy

The Privacy and Electronic Communications Regulation requires businesses to provide “clear and comprehensive” information about how particular cookies are used, whilst obtaining consent from the visitor to use them.

This information includes explaining the way the cookies are used and what they are used for in a way visitors can access easily and understand.

Whilst the law doesn’t specify exactly what information must be provided, many businesses and charities exhibiting best practise provide the name, category, purpose and lifetime of the cookie, so their customers can make informed decisions about whether to accept cookies when visiting their website.

3.     Website terms of use

Also known as Terms and Conditions, these terms limit the businesses liability by setting out the legal rights and obligations of the business and the visitor. This document’s roles include, explaining how visitors are expected to use the website, restricting the actions of visitors to protect the website and business and limit the liability of the business.

Get compliant

Here at Cybercrime Services we specialise in producing bespoke website legal documentation for businesses of all sizes. Just visit our legal services page for prices and further information.

Posted on

10 Tips for Preventing a Cyber Attack on your business

Woman on computer | Cybercrime Legal Services

10 Tips for Preventing a Cyber Attack on your business

1. Understand cyber criminals

Cyber criminals have a wealth of different ways they can access, steal or damage your assets. Knowing the different methods they use is key to understanding how to protect yourself. Examples of these methods include phishing emails loaded with malware, unauthorised access through devices and systems and gaining information from staff to deceive them.

2. Train your staff

You’ve heard the saying ‘a chain is only as strong as its weakest link’. 80% of cyber attacks on businesses were preventable, mostly caused by a lack of staff training. Make sure every member of your staff has been trained, for example, to use systems correctly, to update their devices when instructed and to recognise cyber crime attempts.

3. Preserve your data

Make regular back-ups of your important data and conduct checks to ensure the back-ups can be restored should you need to recover corrupted or stolen data. Keep the back-up separate from the original systems and consider storing a copy in a cloud-based location. Should a hacker hold your vital data to ransom and demand payment for its recovery, you can refuse knowing you have it stored safely elsewhere.

4. Be smart whilst working remotely

If your staff ever work remotely or may access company data, systems or accounts remotely, you should have a relevant policy in place. Key restrictions include never using public Wi-Fi networks, keeping portable devices updated, using complex passwords or fingerprint technology to access devices and set them to be tracked if stolen or lost.

5. Prevent malware damage

Use antivirus software on all computers and laptops, as well as on on portable devices where possible. Ensure you use only reputable and approved providers of this security. Updates are developed regularly for software and devices to continue to prevent new malware and viruses from breaching your firewalls. Make those updates to all devices when prompted, and ensure your firewalls are switched on.

6. Restrict removable media devices

USB sticks, portable hard drives and SD cards can all carry dangerous viruses and software, which can quickly spread from one computer to all devices. Consider introducing a policy on the use of such removable media devices and restrict their use. Transfers of files can be safer through cloud platforms.

7. Don’t punish staff

A crucial step to protecting your assets in the event of a cyber attack is reporting it in time to act. Don’t punish staff if they are caught out by an attempt by a cyber criminal, it will discourage staff from reporting it in the future, which may lead to more damage than necessary. If you suspect a successful attack has occurred, immediately change all passwords and begin scanning for malware.

8. Avoid a phishing attack

Millions of phishing emails are sent every day and many can be very convincing. The obvious signs to look out for include poor grammar and spelling, poor quality graphics and logos, and unfamiliar sender email addresses. Even if you know the sender personally, check their email address is one you have safely communicated with them previously. If an email contains links, especially links to sign in to an account or provide personal information, avoid using them and go to the website independently. Never open an attachment if you are not sure the email is legitimate.

9. Protect your passwords

With the UKs most common passwords including 123456, password and Qwerty, cyber criminals are quickly able to gain access to our accounts and devices with little effort. The recommended formula for a safe password is three random words, including numbers and symbols. For example L0ND0NAPPL@B3@CH. Do not enforce regular password changes, they only need to be updated in the event a successful attack is suspected.

10. Control access to data

It is unlikely that all staff need access to all drives and folders for all departments of your company. It is easier to keep data secure if staff only have access to the data they need to access, and if you have a record of who has permissions to access which files. It is also vital that permissions are removed, accounts suspended and passwords change once a staff members employment comes to an end.