Can Cyber Security Legislation Save the EU?

The fact is, the EU is not universally popular with the voters. Even the UK’s rising star and media-magnet politician, Boris Johnson, has said that the UK Should Not Fear EU Exit – and he’s always on the money when it comes to the voters. Ordinary people are sensing their new political power. The question is:

What can the EU do to increase its popularity and win the popular vote?

How could the EU’s own charm offensive improve their chances of holding onto the UK in a union that some say has not really worked?

What can EU legislators offer the sceptics convinced that Europe is great for global corporations but bad for workers and small businesses?

How about the EU’s 28 member states tackling the threat of cyber crime? More specifically, tackling the deluge of phishing fraudsters and data thieves who have taken over the Internet and are making Eurozone citizens miserable.

Their lives are under attack; their data is being traded by the criminals.

Misuse of personal data is on the minds of millions of EU citizens this year

At the start of this year, privacy awareness body Truste released its annual Consumer Confidence Index. The Index revealed that 60% of participants in the survey were more concerned about their online privacy than they were 12 months ago, with 89% actively avoiding companies they don’t believe protect their privacy adequately.

The survey was conducted by Ipsos Mori, questioning over 2,000 UK-based web users. It queried their online privacy concerns following revelations about the extent of online surveillance from national security forces (and the complicity of companies such as Facebook and Google).

The survey was just as interesting from another, related perspective concerning data protection. The findings showed that there is widespread unease about how the private sector handles personal data. Three times as many survey participants were concerned about companies sharing their personal information with other companies (60%), compared to governments monitoring activity (20%). It would seem that data protection is a big issue for consumers (read: voters) within EU countries.

Existing EU data protection laws are out of date and wholly-inadequate

The UK Information Commissioners Office has to meet a tough legal threshold before they can issue a fine. Under the Privacy and Electronic Communication Regulations, the ICO must show that the contravention has or is likely to cause “substantial damage or substantial distress”.

The ICO’s blog in June 2014 illustrates the sheer scale of the problem of data abuse in the UK market – and the failure of the law to address this:

“The statistics are staggering: in the last year we received 120,000 concerns regarding unsolicited calls and 30,000 concerns regarding texts. And these, of course, are just a small slice of a much larger issue. Across newspapers, social media and radio the message from the public is loud and clear – please put a stop to the spammers.”

What can the fraudsters do with personal data that results from a breach?

It is worth realising that much of the data that spammers use has been stolen from legitimate companies and then sold to the spammers and identity fraudsters. The case of the 2014 eBay hack is one example that highlights what the internet fraudsters can do with your personal data. If a hacker has your name, address, date of birth and/or National Insurance number, they can commit identity fraud and get money from you in many other ways. They could apply for a credit card in your name, or apply for a loan, a mortgage, a phone contract – anything that requires ID verification.

Protecting personal data is of vital importance, not just to individuals, but to the trustworthiness of business and the wellbeing of our whole society. Private companies should therefore be held to account when data is stolen. Could they have done more to secure information assets from the thieves?

Read more:

The global reach and individual tragedy of fraud and abuse on the Internet

Cyber crime has become a business that exceeds a trillion dollars a year in online fraud, identity theft, and lost intellectual property. It affects millions of people around the world, as well as countless businesses and the governments of every nation. But don’t take my word for the numbers – the United Nations said this in 2011. Word for word. (Cybersecurity: A global issue demanding a global approach. December 11, 2011. New York).

Could the EU introduce genuinely effective new legislation to address this?

The moral imperative of societal protection must translate into cyber law

Legal measures to contain and reduce identity theft, fraud and exploitation of children and vulnerable people could be made more effective. Moves should be made to compel stricter adherence to information security best practice and the control of private interests that are profiting through negligence.

For a start, EU legislators could force big business to do more to secure their data, rather than seeing it siphoned off by criminals without a single ‘legal person’ facing charges for the resulting liabilities and social cost. The corporate governance of large organisations that take no heed of the warnings is culpable: why should their wilful negligence go unpunished?

Governance is responsible for decisions that affect every legal person

The C-suite should take pride in the steps that their organisation is taking to put EU consumer interests first by ensuring that our data is kept safe. What the ongoing parade of cyber breaches demonstrates is that organisations are still not taking the problem seriously enough in relation to other business concerns. That organised crime is regularly able to punch security holes in corporate defences while board members receive ever larger cash bonuses each year tells EU voters that spending priorities are wrong.

Cyber crime is a visible symptom of the failure of corporate governance

In order to fight cyber crime effectively, it is necessary to increase the resilience of information systems by taking appropriate measures to protect them more effectively against cyber attacks. Ensuring an adequate level of protection and security of information systems by legal persons should form an essential part of a comprehensive approach to effectively counteracting cyber crime. Europe needs to show a strong lead in this process by standing up for the victims of crime and not running scared.

This would be very reassuring for voters. They would know that their data is regarded as something valuable that the EU is acting to protect. Instead of simply allowing the fat-cats of business to do what they like with information, and in ways that put our individual and collective futures at risk, we could all feel reassured that they were putting a stop to bad practices.

EU legal penalties for non-compliance with cyber security regulations

Appropriate levels of protection could be provided against reasonably identifiable threats and vulnerabilities, and in accordance with the latest solutions available for specific sectors and the specific data processing situations. The cost and burden of such protection could be made proportionate to the likely damage a cyber attack would cause to those affected. Member states should, of course, be encouraged to provide penalties within the context of their national law in cases where a legal person has clearly not provided an appropriate level of protection against cyber attacks – in short, where organisations have chosen to ignore our interests in the hope of saving a few euros by not managing their cyber security.

Particular attention should be paid to raising the awareness of innovative small- and medium-sized enterprises to threats relating to such attacks. These organisations are vulnerable to such attacks due to their increased dependence on the proper functioning and availability of information systems often combined with limited resources for information security.

Cooperation is an essential next step to combating rising cyber crime

Improved cooperation between the competent law enforcement bodies and judicial authorities across the Union is essential in an effective fight against cyber crime. In this context, stepping up efforts to provide adequate training to the relevant authorities to improve understanding of cyber crime and its impact, and to foster cooperation and the exchange of best practices should be encouraged – for example, via the competent specialised Union agencies and bodies. Such training should, among other ideals, aim at raising awareness about the different national legal systems, the possible legal and technical challenges of criminal investigations, and the distribution of competences between the relevant national authorities.

And what about private sector organisations working more closely together to identify Internet-based threat actors and behave in a less selfish, more constructive mode by sharing intelligence and cooperating to stop the abuse? Let’s put it another way: do you have an ethical obligation to report a cyber attack – especially if the threat actor is from another country?  Ask most EU citizens in the cafes of European cities and I suggest that the consensus view would be: “Yes! We all need to protect each other’s interests.” But how many global enterprises in the EU would agree?

Personal data must be protected through a standards-based approach

The protection of personal data is a fundamental right in accordance with Article 16(1) TFEU and Article 8 of the Charter on Fundamental Rights of the European Union. In the UK, government analysis of continuing attacks and feedback from industry vulnerability testers has identified that a number of security controls are still not being applied, leaving organisations vulnerable to threat actors with low levels of technical capability. This has led to the introduction of the Cyber Essentials scheme – although many argue that this is not sufficient to win the fight.

I would argue that the UK should mandate the global standard that has consistently led the field for a decade: ISO27001, which describes a standard for information security management systems. Organisations that claim ISO27001 requirements are too complex for their needs are failing to appreciate the nature of the problem affecting them.  This situation should not be tolerated by a legislature that puts the interests of its citizens first. Ignorance cannot be regarded as a defence, especially in the face of the enormous public concern about insecure EU data systems.

The board is responsible for the defence of data, although it is worrying to find out how little the C-suite really understands about this huge problem.

Will your serious data security breach be discovered by a third party?

The Verizon Data Breach Investigations Report (VDB) found,

and the Index of Cyber Security (ICS) confirmed, that 70-80% of data breaches are discovered by unrelated third parties, not by the victim. This means that the victim might never know about the breach if those who do the discovering were to keep quiet. If you discover a cyber attack, do you have an ethical obligation to report it?  Should the law mandate that you fulfil such an obligation? This author believes that it should, and that the EU should lead.

#   #   #

If you doubt that a more effective approach to information security across the EU is necessary (and overdue?), read our List of Data Breaches and Cyber Attacks in July. EU Companies that hold your confidential data are losing it to criminals!

How can we help you to implement effective cyber security procedures and controls based on ISO27001? Spend a minute on our ISO27001 solutions page!


Whether or not you are convinced that you need to put effective cyber security controls in place, join us at our next event – either in person or online. The date: Tuesday 21 October  2014. The setting: City of London.

Put your detailed questions to our speakers and learn from the experts.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an information security management system (ISMS) to help you comply with PCI DSS V3.0 and Cyber Essentials, talk to our consultants: 0845 070 1750.