How to guard against cyber security fraud

The events of the last month, involving the Information Commissioner’s Office (ICO)’s plans to fine British Airways and Marriott International a collective £280m for breaches of customer data, have invariably brought the GDPR compliance issue into a sharper perspective for large corporates.

The new GDPR regulations 2018 regulations brought a new age to the personal data debate and meant that many companies duly overhauled their customer data policies in line with requirements, with much of the regulation surrounding how data is stored, managed, processed and deleted. However, the data issue is further complicated by a recent considerable rise in cyber security, with law firms, in particular, a key target in this area. 

 

Cyber security: on the rise 

 

According to the Annual Law Firms’ Survey 2018 by PWC UK, cyber security is a key concern for 82% of the top 100 firms. 60% of the firms were also reported to have suffered a security incident in 2018 resulting in cyber security being a major concern for many law firms.

 

In Banking, new data released from banking trade body, UK Finance, revealed that incidents of online payment scams reached nearly 85,000 in 2018, with total losses of £354.3m. It was also revealed that in the second half of 2018, £209m was lost in bank transfer fraud, compared to the £145m lost in the first half of the year. Cyber attackers are able to use personal and financial data to defraud customers, and reroute transactions, by sophistically posing as government agencies like HMRC, or DVLA, or impersonating a banking site - all with access to their personal data to further validate their claims.

The amount of sensitive data handled by law firms makes them a prime target of cyber-attacks. Poor data management could lead to firms becoming vulnerable to threats such as bank transfer fraud, phishing scams, ransomware or data breaches, which allow for additional compliance risks. Furthermore, data collected through fraudulent means can be used many years after the event has taken place, and can be used to facilitate deception scams against companies and consumers, making them highly convincing and far more difficult to guard against.

As digital transformation continues to proliferate, law firms would be wise to look to key technology providers in the industry, in helping them navigate these potentially challenging new territories.

 

The risk to corporate companies

 

The British Airways fine completely eclipses the €50m (£45m) fine imposed on Google by the French DPA (CNIL) in January this year and is additionally the largest fine issued in relation to the maximum permitted penalty under GDPR rules. The attack affected a total of around 500,000 customers, with user traffic to their website being re-directed to a fraudulent site, through which, criminals were able to obtain personal customer details, log-in details and payment card information.

Our current commercial climate is becoming increasingly data-driven. With more and more companies offering access to data and services online, and a high upward trend in mobile users, which is currently forecasted to reach 5.9 billion by 2025, the equivalent to 71% of the world’s population[1]. The more that corporate companies are expected to deliver their services digitally, and handle sensitive data frequently, in large volumes, the more they are at risk of advanced data breaches, and therefore the considerable resulting fines:

 

Fines applied to KnuddelsGoogleTaxa4x35, and Bisnode, plus proposed penalties for British Airways and Marriott International, for GDPR violations. Revenue figures calculated using publicly-available investor reports and estimates from Owler.com. Maximum possible fine is defined as either €20m (£17.6m) or 4% of annual revenue, depending on which is greater, as stipulated in GDPR.

Source: ExchangeWire

 

Product deep-dive: How we can help

 

Cyber security and data protection will continue to be major topics of focus for law firms in 2019, with the heavy emphasis on protection of personal data, GDPR compliance and the avoidance of high-risk data breaches. 

 

LexisNexis Cordery Breach Navigator, is a sophisticated tool which allows companies to reduce the risk of a breach taking place. It is a tool designed specifically for internal use in the law firm, where the Data Privacy Officer (DPO) can track and plan a response to potential risk to GDPR compliance in the company’s data management strategy. 

The tool helps our clients in avoiding the considerable reputation and financial consequences of highly publicised data breaches. DPO officers can use the software in establishing key processes that can respond to risks, assess each incident individually and report in full compliance with the law, instilling confidence in key stakeholders and senior management. 

 

 

[1] GSMA Intelligence 2019

Relevant Articles
Area of Interest