Data Protection , Cyber Crime & Modern Business

by Richard Hall Senior Associate, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7483 407825

We are now almost 17 years on from the Council of Europe Convention on Cyber Crime in Budapest (ETS 185) which sought to create cross-border offences for certain cyber-behaviours that could cause damage or harm to individuals, organisations and states alike. The offences, which include illegal access, illegal interception, data interference, system interference, computer related forgery and computer-related fraud are now in force in 43 European Nations and 18 Non-EU nations.
The cross-border criminalisation of these activities was intended to deter individuals from participating in behaviour which may cause damage to others through cyber wrongdoing and to set cross-border definitions for what is considered criminal behaviour in the cyber-world. This, in theory, if adopted worldwide would allow law enforcement authorities of each participating nation to deal with those that seek to use modern technology for wrong-doing by punishing them for their actions.

The introduction of the cross-border definitions for what is considered to be wrongdoing and criminalising that behaviour was considered to be one of the first steps towards making the cyber-world a safer place for people and businesses alike. However, as time and practice has proven, simply criminalising behaviour does not immediately solve the problem. Stemming the flow of cyber-crime remains a very difficult task, even with the assistance of major advancements in technology and legislation designed to deal with cyber threats.

This may be, in part, due to the substantial increase in the number of devices owned and used by people around the globe and the increase in the use of digital technologies, making the ‘cyber-world’ accessible to more and more users. This increases the potential target pool and technology available to would-be hackers. We should not be surprised therefore that cyber-crime remains a constant threat for UK business, with 1.2 million computer misuse offences estimated to have been committed in 2018 in England and Wales alone.

However, there are reasons to be positive when looking to the future of tackling cyber-crime. We are yet to see the full effect of the advancement of new legislation and regulations such as GDPR and NIS, which are aimed at reducing cyber-crime, protecting individuals and improving data and system protections. These new regulations with time may well make a real difference by switching the focus towards preventing cyber-wrongdoing at source, creating increased accountability for organisations and giving the relevant Supervisory Authorities teeth in their battle to enforce positive change.

The changes in the penalty structures under legislation such as the GDPR have ultimately made it more cost efficient for businesses to invest in preventative measures rather than dealing with the consequences of a breach on a reactionary basis. This in turn has led to a drive in demand for technology solutions to better protect data and hamper would-be attackers. Without this change in approach to enforcement, with added accountability for organisations, it would have been impossible to create a real difference and enforce change in data and systems protection.

The requirements set out by new legislation like the GDPR and NIS have also led to demand for viable technology products to assist organisations in their data and system protection efforts, increase efficiency and reduce compliance costs; this will only have a positive impact in the long term with advancements in technological solutions, to assist in compliance efforts and to better protect us against the threats of cyber-crime. This does however require a continued investment from businesses moving forward to ensure we do not stand still and allow cyber threats to evolve past our current controls.

Although there are all sorts of challenges involved when attempting to meet security requirements that new legislation has introduced, it is important that businesses take time to look at the bigger picture. It isn’t just all about “doing enough to comply” and “ticking the boxes”, and it’s easy to lose focus when you look at data and systems protection simply from a compliance standpoint.

Businesses, now more than ever, have the chance to make genuine contributions to a safer cyber-space, for themselves and for their customers improving and building customer and market trust in their brand. With the market increasingly moving towards online shopping and payments for both services and products, along with improved awareness of cyber-threats and data protection from the general public, trust in a business’ data and systems protection is ever more important to end-users and customers.

How we can help

At PwC we adopt a multidisciplinary approach to helping clients tackle the challenges of regulatory compliance and data protection, helping with all aspects of preventative security, including threat vulnerability assessments, development of security strategies and design of key security functions and mechanisms. Importantly we can also help if things go wrong with our Personal Data Breach Management services. For further information please visit our website.

by Richard Hall Senior Associate, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7483 407825