Companies face being fined 5% of turnover if they suffer Sony-style hack in future
19 December 2014 |
Companies face being fined 5 per cent of their global turnover if they suffer a Sony-style security breach in future.
Sony is already being sued by two employees who argue that the Hollywood studio did not protect their personal data.
Lawyers are expected to argue that Sony had suffered two security breaches in 2011, and that it did not do enough to shore up cyber security after that.
The EU’s General Data Protection Regulation will fine companies up to €100 million or 5 per cent of turnover – whichever is higher – if investigators prove a company was negligent in protecting their data.
The legislation is expected to pass within the first six months of 2015 and come into effect in 2017.
“What’s new under the regulation is the obligation to report security breaches and the size of the penalty,” said Ruth Boardman, partner at Bird & Bird.
At present, the UK Information Commissioner’s Office (ICO) has the power to fine companies up to £500,000 (€637,000) for negligent data theft.
Boardman said: “The new regulation will have a massive impact on everybody because every business is becoming a digital business.”
The size of fines will however be measured against what steps companies took to minimise security risk.
Gray Powell, a cyber security analyst at Wells Fargo, told the Financial Times that Sony was probably spending about $20million (£13million) a year on security.
Companies typically spend about 5 per cent of their budget on IT, and cyber security accounts for 5 per cent of that.
“If data is the new oil, then expect somebody to try and steal your supply,” said Robert Bond, a partner at Charles Russell Speechlys. “Companies need to accept that it’s if-not-when you’re going to be the subject of an incident.
“My experience is that the average business does not place data protection at the top of its to-do list since nobody’s been really crucified yet – and compliance doesn’t add anything to the bottom line.”
Bond says that large security breaches seen at Sony and, before that, Target, would be seen as major breaches by information commissioners.
The reach and effect of the Sony hack – which has been linked to North Korea – is unprecedented.
Sony Pictures has cancelled any release of The Interview, the comedy about the assassination of North Korean leader Kim Jong-Un, to a chorus of disapproval. The studio has been accused of giving in to terrorism.
American politician Newt Gingrich said that Sony’s move had lost America its first cyberwar.
George Clooney, who has been embarrassed himself by emails leaked by Sony hackers, say the implications involve “every studio, every network, every business and every individual in this country”.
Clooney tried to organise petition of support for Sony co-chairman Amy Pascal, asking other studio heads to sign. Not a single colleague signed.
Meanwhile Sony Pictures’ public relations disaster took another corkscrew turn downwards after a leaked email revealed that Pascal would be “happy to lie” to the media after the press reported that the studio toned down scenes in The Interview after threats from Pyongyang.