1.GDPR Implementation & Fines
In 2018, the first GDPR fines were issued across Austria, Germany and Portugal. Austria was the first to issue a fine under GDPR against an organisation that had installed a CCTV camera in front of their establishment. The camera also recorded images from a large part of the public pavement. Large-scale monitoring of public spaces is not permitted under GDPR and they were fined a moderate amount of €4800.
An increase in the number of fines will be expected in 2019 as we have seen already with Google’s fine of €50 million by the French Privacy Regulator, CNIL.
The next step by Google will be watched closely to see if they accept the fine or move to appeal. As more fines are issued across 2019, the appeals process will be the next step in the GDPR journey.
The outcomes of these appeals will provide additional guidance by Data Protection Regulators that will continue to set the tone for treatment of data across Europe.
2. CCPA - California Consumer Privacy Act
2018 was the year for GDPR - 2019 is the year to prepare for CCPA - the California Consumer Privacy Act which comes into effect on the 1st January 2020.
The CCPA has similarities to GDPR but is not a carbon copy.
Both regulations give individuals certain rights to understand how their personal information is collected and used.
CCPA is not just limited to the State of California. It is relevant across the US but CCPA has extraterritorial impact for organizations that are in scope
If you are subject to both GDPR and CCPA, you can kill two birds at once by creating an all-encompassing programme.
As we have learnt from GDPR, it is important to start preparing early to avoid any future issues or surprises.
3. Brexit & Data Protection - Sharing Data with UK Organisations
The impact of Brexit uncertainty continues as we don’t know when and how the UK will leave the EU.
A new Data Protection Act was implemented in the UK in 2018 to align with GDPR and may become the default once they leave the EU.
Businesses will have to consider the cost of doing business in the UK post- Brexit. The UK will become a third party for the purpose of transfer of data. This means there will be an added burden of due diligence that will make business more cumbersome and costly. In addition, businesses will need to consider the additional security that will be required to be compliant in a post-Brexit UK.
Ransomware will continue to remain a major issue for in 2019. Global damage costs in connection with ransomware attacks are predicted to reach $11.5 billion annually by 2019.
One of the most common questions we receive about ransomware is “Should we pay the ransom?” VigiTrust recommends that you do not pay the ransom and payment does not guarantee the return of access to your data. By paying the ransom, you also have a higher chance of becoming a repeat target by the for the ransomware attackers.
Hackers know that people are the softest target in an organisation which is why phishing emails will continue to be a regular access point for attacks.
Phishing will continue to become more sophisticated in 2019 as attackers become more strategic and personalised in their attacks.
The best way to manage your ransomware risk in 2019 is to implement employee security awareness training.
5. IOT & AI Security
The growth of connected devices in both the home and workplace will continue rapidly in 2019. An ever-increasing amount of vendors are making their devices connectable which means the attack surface and overall security issue is growing.
A lot of connected products are low-cost items which means they have low security and are vulnerable to attack. A simple recommendation would be to restrict connected devices in your organisation to known brands with a higher level of security.
As an organisation, you will need to have a strategy and company policy developed to manage all connected devices, both personal and business.
AI Security is top of the agenda within the cybersecurity industry and wider business world in 2019.
AI is becoming more integral to business operations and more intertwined in people’s lives. This makes it a growing area of interest for cyber attacks.
The lack of regulation in the area of AI is a concern and one that is shared by Elon Musk. “AI is a rare case where I think we need to be proactive in regulation than be reactive”
The first research reports are beginning to be published on the security risks of Artificial Intelligence which will help in building your AI Security Strategy in the year ahead.