Data Security: Zellis Breach and Ensuring Regulatory Compliance

Data breaches once again made the headlines last week. In late May, we saw the GDPR rule-breaking of Meta (Facebook), leading to the imposition of a €1.2 billion fine (subject to an appeal), and now there is a potentially disastrous breach of private information held by companies in the UK (United Kingdom). 

To date, several major household name companies, including the BBC, BA (British Airways), and Boots, have all reported data breaches that link to their relationship with popular payroll provider Zellis. Russian cybercrime group Clop claims to have perpetrated the breach. They did so by exposing a vulnerability in the file transfer software used by Zellis.  

In addition to the companies mentioned, Aer Lingus, The University of Rochester, and the Government of Nova Scotia all claim to be implicated in this breach. Estimates suggest that the hackers will access the records of hundreds of thousands of employees tied to these organizations. 

Clop has threatened to publish the hacked data if their financial demands are not met and are understood to have said they have “downloaded a lot of your data from hundreds of companies.” Clop is looking for a “price to delete.” Experts believe that financially motivated criminals, rather than a group tied to the Russian state, are behind Clop. 

The Importance of Data Compliance

This alarming story once again drives home the vital importance of maintaining compliance with data regulations across the globe. This includes the relevant organizational and documentary compliance, as well as ensuring that the technology used to support data processing and transfers is fully secure. Because many of the companies and data subjects involved in the Zellis data breach are based in the UK, they must adhere to the strict UK GDPR regulations.

It is clear from the enormous $1.3 billion fine that Meta is facing how catastrophic it can be for a company facing the dual threat of making ransom payments to the hacker and having to face potentially huge regulatory penalties. 

An organization collecting the data of EU (European Union), or UK residents can be fined up to 20 million for breaches and up to 4 times their global annual turnover if that is more than 20 million.  

Facing massive penalties and the looming threat of publicly exposing sensitive information, your organization not only confronts a catastrophic financial scenario but also risks severe reputational damage. 

Additional Complications

There are also major insurance complications that come with a breach of data regulations. Let’s say a company maintains compliance with global data regulation requirements but still suffers a data hack.

It’s likely this company will have relevant cyber-security insurance to cover such losses. This should help mitigate the financial (and indeed reputational) consequences. However, insurers may argue that a breach exposing any regulatory non-compliance voids the company’s insurance coverage.

Obviously, this could be catastrophic, not only leaving you seriously out of pocket from any payments made in the face of a ransom demand but also facing enormous regulatory penalties and suffering major reputational damage. These consequences of a serious data breach can destroy a company completely. 

Ensure your Data Protection Compliance Globally with the Support of HSP Group 

The web of global data protection regulations is incredibly complex. It is challenging for organizations to develop and maintain a comprehensive understanding of the many different rules and regulations that apply to data protection compliance within one country, let alone internationally, and for multi-jurisdictional transfers of data.  

Despite all your best efforts, small but critical details can easily slip through the cracks and leave you vulnerable to penalties for non-compliance. Rules are rules, and it makes no difference if a data breach is not intentional. The same level of financial penalty can still apply. 

The recent ransom hack suffered by Zellis shows that even highly reputable firms are not immune to targeting by cyber-hackers, and if there are any weaknesses at all in an organization’s systems, they are vulnerable to attack. Now, more than ever, it is crucial that you ensure that the technology used to support data processing and transfers is fully secure and you always maintain full compliance with the other documentary and organizational requirements in the country or countries where you operate or collect data from. 

HSP Group has a highly knowledgeable group of data protection advisors with many years of experience advising major organizations on complex data protection requirements in countries all over the world.  

Contact us to learn more about how HSP Group can help with your compliance efforts. 

For more information on the GDPR and Data Protection, read our recent blog about Meta here

Relevant Blogs

Have Questions? Click Here to Get Them Answered!