As cyber-crime continues to grow as a threat to organisations of all sizes, it has been announced that London will host a specialised, flagship cyber-crime court. The building which will be located on the site of Fleetbank House near Blackfriars will hold 18 court-rooms and will be ready by 2025. While this is someway off it comes off the back of a major programme by the Ministry of Justice to modernise the British courts system at the cost of £1 billion. This takes into account that the legal industry brings revenues of more than £30 billion to the UK economy each year.
“The flag of English law is flown in countries across the globe, and London already leads the way as the best place to do business and resolve disputes. This state-of-the-art court is a further message to the world that Britain both prizes business and stands ready to deal with the changing nature of 21st century crime”
Stated Lord Chancellor David Gauke on the subject.
With growing numbers of cyber-crime’s being committed and data protection laws around the globe being updated, it is unsurprising that cyber-crime is being brought into focus by law makers.
Cyber-crime’s not being reported
Despite growing numbers of cyber-crimes and a raft of threats including ransomware, other malware and major hacks, it has been found that cyber-crimes are often not being reported. Reasons for events not being reported included:
- A lack of faith in law enforcement to be able to help
- Not understanding how reporting an incident could help
- Reluctancy to admit a failure in cyber-security
- Thinking the issue was not worthy of police intervention
- Concerns that investigations could cause downtime or slow down business operations
Organisations are however advised to report all cyber-crimes committed, law enforcement agencies are then able to correctly refer cases and information to assist in solving and preventing cyber-crimes. In the UK there are a number of organisations with partial responsibility for solving or investigating cyber-crimes, the primary agency being Action Fraud. Advice is that organisations should report cyber-crimes as soon as they are discovered, in some cases this can be almost instant such as a ransomware attack or DDoS attack (distributed denial of service). This falls in line with recommendations on reporting a breach under the GDPR.
Mike Hulett, Head of Operations for the National Cyber Security Unit (NCCU), spoke on the lack of reports recently, saying:
“At the most basic level, there are no incentives to report cyber-crime, while in most other kinds of crime, at the very least, there is the incentive of reporting it to the police so that they can get a case number for insurance purposes, although that is changing… We want all victims of cyber-crime to report. Who you are and what has happened is going to affect the scale and nature of the response, but there is no cut-off in terms of size of organisation affected. We want everybody to report, regardless of how large or small the organisation”
Reporting a breach under the GDPR
Under the General Data Protection Regulation (GDPR) organisations have a responsibility to report a breach within 72-hours of discovering it. Breaches must be reported to the relevant supervisory authority, in the UK this is the Information Commissioner’s Office (ICO). The updated definition of a data breach under the act covers certain types of cyber-crime, most notably a hack or unauthorised access to data.
A personal data breach under the GDPR is defined as breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed