Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Ransomware recovery costs make a bitter pill for HSE

We try to keep security and data protection disciplines separate in our practice, but sometimes they unavoidably overlap. The Conti ransomware that infected the Health Service Executive in May 2021 falls into both camps. Technically speaking, it’s a cybersecurity incident. And, because the data involved was patients’ personal information, it also counts as a data breach. News emerged that people whose patient records were stolen in the attack could receive compensation of €3,000 or more.

The Sunday Times reported that the Government fears “a flood of compensation claims” from almost 100,000 people. The story quoted legal experts who believe payouts could reach €150 million depending on the nature of the data stolen. It shows that any payment to extortionists (which, to its credit, the HSE never made) is only part of the cost. It’s often dwarfed by other factors from legal compensation to recovery costs. The ransom gang originally demanded €20 million. In September, the Irish Independent reported the cost of the attack at €101 million. Investment in the HSE’s IT systems to safeguard against repeat attacks will cost a further €657 million.

Irish NCSC launches security health check tool for public agencies

Plenty of activity to report in this sphere as the year winds down. The EU Digital Services Act (DSA) has been approved, and it could place restrictions on unwanted targeted advertising. Together with the Digital Markets Act, it forms an EU initiative that will upgrade the rules governing digital services. Across the EU, the Acts are intended to “create a safer and more open digital space”. BH Consulting’s data protection analyst Cliona Perrick has written a more detailed breakdown of what the Acts will entail.

Ireland’s Data Protection Commission has fined Facebook parent Meta €265 million for a breach that exposed millions of email addresses. The scale of the fine was agreed among EU data protection regulators. As the Irish Independent reports, it brings the total fines imposed on Meta to €912 million in the past year. The decision even won praise from privacy campaigner Max Schrems.

Meanwhile, public consultation is now open on the European Data Protection Board’s recommendations on elements and principles in controller binding corporate rules. The recommendations are open until 10 January 2023. Also, watch for developments in the case of Albanian IT staff charged with negligence over a cyber attack. Regulations like GDPR require organisations to have “adequate security” measures in place

Raising awareness about security awareness

The National Cyber Security Centre has released a self-assessment tool for baseline standards for the public sector. It aims to help agencies evaluate their current security posture and plan improvements. It’s an Excel worksheet you can download from its guidance page.

The tool is divided into five sections: identify, protect, detect, respond, and recover. Through a series of questions, it helps organisations to gauge what controls it has in place, how they operate, who’s in charge of them, and whether they’re reviewed regularly. The tool also has a corrective action plan together with a green/amber/red scoring system for assessing whether the organisation has achieved its aims.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here