COVID-19: Cybercrime and the implications for business
With a huge upsurge in the number of people working remotely during the COVID-19 pandemic, businesses are facing increasingly sophisticated cyberattacks which prey on fear and anxiety. We look at how businesses can protect their interests during the current crisis, and the steps that they may need to take if they fall victim to a cyberattack.
Current environment and COVID-19 themed cyber attacks
The speed at which COVID-19 gripped the globe meant organisations had to quickly come up with solutions to keep critical parts of their business up and running. In many cases, this resulted in the rapid implementation and roll-out of business continuity plans and remote working set-ups for employees who have never worked from home before. For most businesses, this means they have more employees than ever working from home without the benefit of on-site IT security and monitoring. In the rush to set employees up to work from home, IT security might come second place to remote working plans.
Warning from An Garda Síochána (Irish Police Service)
An Garda Síochána (Gardaí) have warned that sophisticated hackers are using COVID-19 as their modus operandi and we have already seen examples of cyber criminals using COVID-19 themed phishing scams and emails in an attempt to exploit vulnerabilities and fear. Just last week, the Head of the Garda National Economic Crime Bureau, Pat Lordan, warned people about unsolicited emails and said Ireland was likely to see an increase in these over the coming weeks.1
Many of these scams are targeted at employees and present as links to the World Health Organisation website or COVID-19 testing kits or the sale of fake protection masks and hand sanitiser. Phishing emails, malware links and scams, coupled with an increase in traffic on various platforms used for communication and the blurring of the lines between work and home, expose organisations to attacks from enterprising hackers.
Personal devices
The current situation is not helped by an increasing number of employees using their personal devices for work purposes, dubbed 'bring your own device' (BYOD). Personal devices can lack sufficient software to protect against viruses and successful phishing emails.
Whilst organisations have scrambled to keep their business service continuing without any gaps, they need to be mindful of the growing threat these COVID-19 themed cyberattacks present. There are steps organisations can take to protect their businesses, and their employees, through this challenging period.
How to protect your organisation
Cybercrime attacks are avoidable by businesses taking practical steps to ensure that they are protected. The National Cyber Security Centre, the Data Protection Commission and the Central Bank of Ireland have all issued guidance on how businesses can strengthen their cyber security systems and defences.
These steps include:
- a strong cyber security policy and response plan that all employees are made aware of. Response plans are particularly important when employees are working from home as they need to know who to contact in an emergency if their device has been compromised. Remember, an attack could shut-down an employees' entire system leaving them with no method of contact other than a phone call
- remote worker training - train employees on remote working best practice, how to identify phishing emails, refrain from downloading suspicious software and how/who to contact if an employee believes any of their devices have been compromised
- issue refreshed guidance for employees on cyber security in the current climate
- use two factor authentication passwords
- ensure employees are updating anti-virus and anti-malware software on their devices, whether it be a company device or an employee's own personal device they are using for work purposes.
- businesses should continue to stress test their business continuity plans to identify any weaknesses or gaps in these. Cyber security risk assessments should already be performed on a regular basis, but these are needed now more than ever in the current crisis when a significant majority of people are working from home and hackers are preying on heightened anxiety and uncertainty
Steps to take if your business falls victim to a cyberattack
If an organisation does find itself the victim of a cyberattack during this pandemic, it will need to get an immediate handle on the scale of the problem, and identify any data that has been compromised. You may need to seek urgent injunctive relief from the courts.
Depending on the nature of your business and the extent of the attack, there are a number of authorities that you may need to contact, including:
- the Gardaí
- the Data Protection Commission
- the Central Bank of Ireland (if you are a regulated entity)
- customers whose data may have been compromised
- your insurer
Section 19 report to the Gardaí
If your business has suffered a cyberattack, you may need to consider whether you need to make a mandatory report to the Gardaí pursuant to Section 19 of the Criminal Justice Act 2011.
Section 19 requires companies and individuals to make reports to the authorities if they have certain information in respect of certain 'white collar crimes' and cybercrimes which may have been committed by other parties. A failure to make such a report, without reasonable excuse, is an offence.
A Section 19 report can be made to the Garda National Economic Crime Bureau and the Gardaí may decide to investigate the cyberattack. The form and content of a Section 19 report is not prescribed by statute and the obligation under Section 19 is normally satisfied by making a verbal or written report to the Gardaí.
Personal data breach notification to the DPC
The General Data Protection Regulation (2016/679) (GDPR) introduced a new mandatory obligation requiring businesses/organisations, who are data controllers, to report personal data breaches (e.g. unauthorised access to personal data by a third party) to their relevant supervisory authority. Notification must be made without undue delay and where feasible within 72 hours of the business/organisation becoming aware of a notifiable breach. In Ireland, businesses/organisations will be required to complete this online form in order to notify the Data Protection Commission (DPC) of a national and/or cross border breach.
All personal data breaches must be reported unless the breach is unlikely to result in a risk to the rights of the individuals affected. Where the breach is likely to result in a high risk to the affected individuals, businesses/organisations are required to notify affected individuals so that they can take steps to mitigate any risk. In considering the risk, businesses/organisations must consider the specific circumstances of the personal data breach, including the severity of the potential impact and the likelihood of it occurring.
It is vital for businesses/organisations to review and revise their data breach response plan to ensure they can manage, contain and respond to breaches quickly, and notify the relevant supervisory authority within 72 hours. Businesses/organisations are also required to keep an internal record of all data breaches, including its effects and the remedial action taken.
Failure to report any notifiable breach to the relevant supervisory authority in accordance with the GDPR's requirements may result in a business/organisation being subject to administrative fines of up to €10m or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is the higher. The Irish DPC has not yet imposed an administrative fine under the GDPR. There is, therefore, currently no Irish benchmark for the level at which the DPC would set a fine for a failure to report a personal data breach. Affected individuals are also open to take private civil actions against businesses/organisations where their rights have been infringed.
In the unfortunate event of a personal data breach, it is critically important that businesses/organisations are able to establish the extent of the breach and determine whether notifications need to be made to the relevant supervisory authority and/or affected individuals within a timely manner. Our Commercial & Technology Team has extensive experience in advising clients on data privacy issues including data breaches and cybersecurity incidents. Our Data Projects Group can provide expert assistance in identifying data potentially impacted by cyberattacks, and in conducting data reviews.
Conclusion
While many organisations have strong IT systems, the pandemic exposes all businesses to an increased risk of cyberattacks. Businesses should consider taking practical steps now to protect against this threat.
Our White Collar Team, Commercial & Technology Team and specialised Data Projects Group have advised a number of clients who have been subject to cyberattacks. For any assistance or for further information please contact Ciarán Ó Conluain, partner, Joe Kelly, partner, Eoghan Kenny, Senior Manager Data Projects, Jennifer O'Brien, solicitor, or any member of the A&L Goodbody Litigation & Dispute Resolution team or the Commercial & Technology team.
Date published: 7 April 2020
1https://www.rte.ie/news/coronavirus/2020/0327/1126789-crime-never-sleeps-even-during-a-pandemic/
https://www.thejournal.ie/gardai-warn-of-coronavirus-scammers-5042657-Mar2020/
https://www.garda.com/blog/covid-19-cyber-attacks-3-types-of-scams-to-look-out-for
https://www.irishtimes.com/news/crime-and-law/coronavirus-fraud-warnings-as-scammers-target-newly-unemployed-1.4207242