How resilient is your business?

Business stress

It’s a question that you’ve probably had to ask yourself many times since the start of the coronavirus pandemic.

But you may not have thought about how much you rely on the everyday technologies that we all take for granted to keep your business running, and what could happen if something were to go catastrophically wrong.

In the aftermath of the terrible scenes at the Capitol in Washington on 6 January, the role of big technology companies such as Twitter and Facebook is under increasing scrutiny. President Trump himself had his social media accounts first suspended and then permanently removed from these and other platforms. Many of the President’s most fervent supporters had already moved from Twitter to an alternative platform, Parler, which boasted of its ‘free speech’ credentials and did not moderate content or remove hate speech. But Parler itself was then taken offline, not because of a Government or regulator, but because of the actions of another tech giant, Amazon. Like so many businesses, Parler relied on Amazon Web Services for its server space. And Amazon was able to simply terminate the contract because it decided that Parler had breached its terms and conditions. Parler immediately announced its intention to sue Amazon, but the damage was already done.

Whatever your politics, many people feel instinctively uncomfortable about the big tech companies’ power to take such significant decisions. There are calls on both sides of the Atlantic to strengthen the tech sector’s regulatory environment. Whether this results in a change in the law remains to be seen, and most businesses are very unlikely to find themselves in the situation that Parler does.

Nevertheless, it does show just how much we have all come to rely on a small number of big tech companies, and how a decision to withdraw services can have an immediate and dramatic effect. What if your business were to suddenly lose its server space, have its app withdrawn from Apple’s app store, or have its Facebook page or YouTube channel removed? There are minimal legal protections for businesses in this situation, because these relationships are governed by contracts, usually the tech companies’ standard terms and conditions. These are often drafted heavily in favour of the tech company, and allow little room for redress for the customer.

It’s not just big tech firms’ decisions that can leave businesses vulnerable. Over the past twelve months, there has been an increase in security incidents such as ransomware attacks on businesses. The move to remote working has only exacerbated this trend. A dispersed workforce can mean lower security and less awareness of potential threats. Criminals can target individuals and gain access to company networks.

Company data is then either stolen outright or held hostage and only released on payment by the victim. Such attacks are frequent and can have devastating consequences on businesses. Again, legal protections are not always sufficient to protect businesses.

Ransomware attacks in the UK are criminal offences under the Computer Misuse Act and potential offences under data protection law. Still, it is often difficult for the police to find and bring cybercriminals to justice. And in the meantime, the business affected will need to take immediate action to recover their data and keep their business going. Where personal data is compromised, they may also need to notify the Information Commissioner’s Office and affected individuals, and deal with complaints and potential legal claims.

Of course, organisations are only ever as safe as the weakest link in their security, which often means us. The Home Office blamed ‘human error’ for a recent incident which reportedly led to at least 150,000 records being accidentally deleted from the Police National Computer.

Not only is this hugely embarrassing for the Home Office, but it also has repercussions for the police’s ability to carry out their core functions. Although individual errors are inevitable, businesses are required under data protection law to take ‘appropriate’ measures to prevent accidental loss, destruction or damage to personal data.

There is no prescriptive list, but such measures may include IT security, clear policies and procedures, robust back-up arrangements and regular staff training. Businesses that fail to take these appropriate measures are vulnerable to security incidents and subsequent legal challenges.

So as we look forward to 2021, now is the time to consider how resilient your business really is – and take any extra steps required to protect it.

Jon Belcher

Jon Belcher

Jon Belcher is a specialist data protection and information governance lawyer at Excello Law.
Jon Belcher

Jon Belcher is a specialist data protection and information governance lawyer at Excello Law.