Cybercrime: A growing threat to retailers
Retailers are becoming increasingly susceptible to the growing threat of ‘cybercrime’ – the use of computer technology to commit illegal offences, usually with the aim of obtaining a pecuniary advantage. By Joseph Jackson, Bird & Bird LLP
In August, the Cabinet Office announced that 93% of large corporations and 87% of small businesses in the UK suffered a cybersecurity breach in the last year. Considering that these figures only address reported cyber-attacks, the scale of the problem is certainly a cause for concern. Retailers should be aware of this threat and the legislative measures currently being considered on cybersecurity in Europe.
The impact of cybercrime
Estimates of the annual global cost of cybercrime range from £44 billion – £253 billion, with the British Retail Consortium estimating the cost to the UK’s retail sector as £205.4 million.
Retailers that have experienced a major cyber-attack will be aware of the damage that can be caused. Business interruption, theft of trade secrets, misappropriation of finances, loss of customer data and damage to reputation are all risks for retailers with inadequate cyber resilience.
Never Miss a Retail Update!New regulation?
Policymakers in Europe are currently considering laws that would set a common standard of network security. In February this year, the European Commission published a draft Directive on cybersecurity (“the Directive”) which includes the following key proposals:
*Certain businesses and organisations would be required by law to take appropriate technical and organisational measures against cyber risk and report incidents that have a ‘significant impact’ on their core services. This could apply to some retailers – see ‘Will the Directive affect Retailers?’ below.
*EU Member States would be obliged to adopt a national strategy on cybersecurity, establish a national authority for monitoring compliance with the Directive and set up a ‘Computer Emergency Response Team’ to assist in monitoring and handling cybersecurity incidents.
*Processes would be established to facilitate the exchange of best practices and early notification of cyber-incidents between Member States. The Directive also envisages Member States agreeing coordinated responses to cyber-attacks.
Will the Directive affect Retailers?
Early indications suggest that retailers with an online sales presence may be in the Directive’s cross-hairs. It is envisaged that the Directive will not be applied to so called ‘microenterprises’ – businesses with fewer than ten employees and with an annual turnover of €2 million or less – though businesses to which this exemption applies may still find themselves having to comply with the Directive as obligations are flowed down through their supply-chain.
The future
Whilst implementation of the Directive appears some way off, retailers should be aware that their businesses could be subject to regulation on cybersecurity in the future. To the extent possible, retailers should consider ‘future-proofing’ their security processes against the impact of future regulation, at a technical operational and legal level by taking expert advice.
Finally, the retail sector as a whole should consider whether it can help shape the outlook of future regulation on cybersecurity. Member States are currently consulting on the implementation of the Directive and it may be that retail organisations can use this opportunity to feedback on the proposed legislation.
