Hacking is the news story which keeps on giving. Gone are the images of ostentatious cyberpunk seeking to bring down the Man; in its place is a class of savvy, slick criminals, taking advantage of the negligence of corporations with access to massive amounts of our data. Whether through the installation of ransomware, spearfishing, or Trojan Horses, the insurers Hiscox estimated cybercrime cost businesses $450 billion this year.
And it’s not simply that more businesses have been hit, but that the size of hacks have kept on growing. Indeed, the biggest targets have often been felled by the softest strokes: the massive Wannacry ransom ware attack which brought down NHS Trusts was so successful because it used an exploit which was patched two months earlier, coupled with the NHS’s partial use of an unsupported version of Windows XP.
The political line between private and public enterprises has also become increasingly blurred: when Petya succeeded bringing down major Western companies, the original assumption was that it was ransomware like Wannacry. Investigations quickly suggested this was not the case – the data ‘encrypted’ was essentially destroyed, it used a very poor method for payouts (particularly for such a big attack), it hit a lot of critical infrastructure in Ukraine, and its only major Russian hit (oil giant Rosneft) was miraculously able to fight off the virus in record time. Businesses can expect this sort of financial proxy war to only intensify in the future.
The latest big fish to fall prey to hacking was Equifax, the US credit reporting agency. In an almost perfect example of big business playing fast and loose, Equifax discovered it had been compromised all the way back in July, but neglected to mention this to consumers until the start of September. Bad data management practices mean that while UK servers weren’t hit, perhaps 400,000 Britons have had their personal data exposed – whether that means being sold professionally or dumped on some PasteBin.
Equifax’s fate, in the court of public opinion, probably doesn’t vary too much on either side of the Pond (i.e. everyone agrees that they were not only exceedingly lax in the way they secured their data, but also exceedingly unprofessional in trying to fudge over that fact). In the court of law, however, who gets hurt by these big leaks is going to become increasingly important for companies hoping to avoid hefty fines. That’s because of the General Data Protection Regulation (GDPR), the mammoth piece of European legislature which even Brexit won’t stop.
The GDPR covers a series of topics related to personal data usage, and runs along the premise that the more power to the consumer, the less likely they are to get fobbed off. Amongst the regulation’s promises are the right to be forgotten, the right to access of data (in an accessible format) – and breech notification, within 72 hours of knowledge of a breech. Any European company which tries to pull an Equifax this time next year could see up to 4% of its annual income or €20 million (whichever is higher).
The European Union has been showing an increasing tendency to clamp down on the bad boys of the internet. In perhaps the most obvious case, there was the €2.42 billion fine that Google got slapped with for spinning its own search results to its favour. Even today, if Equifax had been based in Austria rather than Atlanta, it would have likely seen at least £500,000 in fines. To its great fortune, however, the American approach to internet policing is very laissez-faire – perhaps in part because of the US government’s lack of conviction that anyone’s data should be off limits to them.
This culture clash is only becoming more and more obvious as Europe pursues a draconian interpretation of data protection in the face of an American happy-go-lucky passivity masking advanced surveillance mechanisms. The EU-US Privacy Shield (designed to allow for easy movement of data across the Atlantic) came up for review on Monday – the lack of an American ombudsman seems indicative of a very different value system when it comes to privacy.
That’s not to say that the GDPR is perfect. Whilst major players like Equifax, Google, or Facebook might be the companies most visibly hurt by the need to both protect people’s data from hackers and avoid using it for unethical financial gain, the regulation is an ungainly beast. For smaller businesses, there’s considerably less capital to withstand the hefty fine for a mistake in data storage practices. Its limited publicity (with just under 250 days to go) makes that all the more alarming.
The GDPR is, at least for now, a ‘living document’, and it might be safe to assume that it won’t be the last piece of data regulation enacted in Europe. For American companies, the restrictions will rankle; for European businesses, who have to live through them more directly, there will be frustration and pain. And yet, the US alternative is to sit and wait for the next hack to happen, in the name of ease of access. Neither extreme is fundamentally stable in the long run; unfortunately, picking the middle ground doesn’t seem entirely popular these days.