The recent data breach at Yahoo- the largest in history – acts as a warning to businesses.
This is the view of Susan Hall, who is a lawyer at Clarke Willmott.
She is saying that businesses need to assess their data security policies following the breach at Yahoo.
Susan says that is also especially important, with the new General Data Protection Regulation (GDPR) due to come into force early in 2018.
Yahoo users – who were probably already feeling uneasy after September’s reports of a data hack dating back to 2014 affecting 500 million accounts – are likely to be even more unhappy in the light of this week’s revelations about another, earlier, hack dating back to 2013 and affecting an estimated one billion accounts.
Although Yahoo claims this data does not include payment details, the suggestion that sensitive data belonging to one of the world’s largest technology companies has been compromised on such an enormous scale will have put many businesses on edge.
Susan Hall, who is an Information Technology lawyer at Clarke Willmott LLP, comments: “However embarrassing the breach is for Yahoo, they can be glad this has happened now and not in 15 months’ time, as new, more stringent regulations are due to come into force in May 2018.
“Given that last year’s Talk Talk data breach resulted in a £400,000 fine, if Yahoo should be found to have been negligent or reckless in their approach to data security they would currently be in line for a fine of up to £500,000.
“But under the new GDPR fine structure, with a maximum fine of 4% of global turnover, they could have been in line for a fine of hundreds of millions as opposed to hundreds of thousands.
“In addition, the new rules will mean that companies won’t be able to delay reporting data breaches, being obliged to report hacks within 72 hours. Even under the current rules, eyebrows are likely to be raised about the 18 months Yahoo appears to have taken to investigate and then announce the breach.
Susan continues: “Another change the GDPR will bring in is liability for companies based outside the EEA in respect of loss or damage to the data of data subjects located in the EU.”
The new GDPR rules will not only affect large companies such as Yahoo and Talk Talk, but will also pose a challenge to smaller businesses.