England & Wales: Cybersecurity

The UK National Cyber Security Centre (NCSC) defines cybersecurity as ‘how individuals and organisations reduce the risk of cyber attack. Cybersecurity’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage. It is also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.[1]

The increasing reliance of businesses and consumers on digital technology, and the growing frequency and impact of cyber attacks, mean that cybersecurity must not be seen as a purely technical matter, largely reserved for an organisation’s IT team; it is now widely recognised as an enterprise-wide risk issue for each business. The latest Department for Digital, Culture, Media and Sport survey of cybersecurity breaches showed that, while fewer businesses were detecting breaches than in previous years , those companies that did identify breaches had identified three times the average number of breaches since 2017. There are a number of potential explanations for the increased attacks on a narrower range of businesses. For example, it could be that some companies have sophisticated cybersecurity systems that are more adept at identifying attacks. It may also be that attackers are becoming more discriminating in their efforts, targeting businesses that suffer from known security vulnerabilities or hold more valuable forms of data. About 78 per cent of the businesses surveyed stated that cybersecurity was a high priority for senior management, with around 40 per cent stating it was a very high priority.[2]

For years now, the Information Commissioner’s Office (ICO), the NCSC and the Financial Conduct Authority have warned companies that cybersecurity should be treated as a boardroom-­level issue. In a 2018 speech, Elizabeth Denham, head of the ICO, cautioned that ‘we have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings. . . . If left solely to the technology teams, security will fail through lack of attention and investment.’[3]

The ICO’s security concerns are increasing alongside its enhanced enforcement powers to take action against those in breach of data protection laws. As a result, it is essential that organisations keep abreast of the key cybersecurity obligations imposed by UK legislation (summarised in section 2 below), as well as the potential legal and regulatory implications arising from a data breach. As an overview, and in addition to the overarching risk of reputational damage, the main consequences of a breach include:

  • An organisation may be required to notify a breach to relevant regulators and (if a sufficiently serious risk arises from the loss of personal data) affected private individuals. That notification would involve disclosing occurrence of the breach and providing information regarding the nature, consequences and mitigation of the breach, as prescribed by each regulator. Multiple notification requirements may give rise to challenges for an organisation, in managing the different forms of notification, different types of information required by each regulator and different deadlines, as well as managing the flow of such information to the marketplace.
  • Regulators have shown an increasing willingness to impose large financial penalties for breaches of specific cybersecurity obligations. Since the implementation of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), the ICO is able to impose fines of up to €20 million, or 4 per cent of an organisation’s worldwide turnover, whichever is higher. This represents a considerable increase in its powers under the Data Protection Act 1998 (DPA 1998), where the upper limit on fines was £500,000. Similarly, under the Network and Information Systems Regulations (NIS Regulations) 2018, introduced alongside the GDPR, the ICO has the power to fine relevant digital service providers and providers of critical infrastructure services up to £17 million. The ICO has shown that it will use these newfound muscles through its recent issuance of significantly large provisional fines to Marriott International (£99 million) and British Airways[4] (£183 million) for their respective failures to safeguard electronic customer records from cyber attack. The trend of significant regulatory fines is not limited to the ICO: in October 2018, the FCA fined Tesco Bank £16.4 million for failing to secure retail clients’ banking deposits.[5]
  • Directors should be aware that, under the DPA 2018, they are now personally liable to be prosecuted for criminal offences committed by their company under the GDPR.[6]

There is a fast-increasing risk of civil litigation arising from personal data breaches as individual claimants seek compensation for loss (both pecuniary and non-pecuniary) caused to them by a data controller’s contravention of data protection legislation. This trend follows the judgment in Vidal-Hall v Google Inc [2015] EWCA Civ 311, which established that compensation could be awarded under the DPA 2018 to individuals under English law if they suffered non-pecuniary loss such as emotional distress arising from a breach of their data privacy in addition to their rights to claim pecuniary loss. In the recent judgment in Various Claimants v Wm Morrison Supermarkets PLC [2018] EWCA Civ 2239, the Court of Appeal held that companies are vicariously liable for the actions of ‘rogue’ employees that result in a data breach.[7]

The trend may now accelerate following the decision of the Court of Appeal in Lloyd v Google [2019] EWCA Civ 1599. Here, it was held that it was possible to bring a representative action on behalf of a class of claimants who had, as a result of alleged breaches of data protection law, lost control or autonomy over their personal data, which had inherent value, and there was no requirement under the DPA 1998 (and it is likely to be the same under the GDPR or the DPA 2018) that the claimant had to prove financial loss to obtain compensation under data protection law. It seems likely that this case will almost certainly be referred to the United Kingdom’s Supreme Court. If the decision is upheld by the Supreme Court, it will potentially allow a wide range of claims to be brought against controllers for breach of data protection law, including as a result of cybersecurity breaches in a manner that makes economic sense (and that may be funded by litigation funders).

If this were not the case, the limited damages claimable to compensate for each individual’s loss would mean that it is unlikely to be economically worthwhile to seek redress on a separate, individual basis.

Overview of cybersecurity legislation

Below provides a broad overview of the key UK legislation that imposes cyber­security obligations on companies and businesses.

The Communications Act 2003

Public electronic communications network (PECN) and public electronic communications service (PECS) providers apply the Communication Act 2003 (CA), in respect of their activities in the United Kingdom.[8] PECN and PECS providers must take technical and organisational measures appropriately to manage risks to the security of PECNs and PECSs.[9]

The Office of Communications (Ofcom) regulates the CA. Breach notification requirements include the following: PECN and PECS providers must notify Ofcom of a breach of security that has a significant impact on the operation on a PECN or PECS, and PECN providers must notify Ofcom of a reduction in the availability of a PECN that has a significant impact on the network.[10]

The sanctions for breaching the CA are suspension of the entitlement to provide networks or services, or fines of up to £2 million.[11]

Privacy and Electronic Communications Regulations 2003[12]

PECS and PECN providers, in respect of their activities in the United Kingdom, apply the Privacy and Electronic Communications Regulations (PECR).

PECS providers must take appropriate technical and organisational measures to safeguard the security of their services. These measures must:

  • ensure that personal data can only be accessed by authorised personnel for legally authorised purposes;
  • protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration and unauthorised or unlawful storage, processing, access or disclosure; and
  • ensure the implementation of a security policy with respect to the processing of personal data.

PECN providers must comply with reasonable requests from PECS providers made for the purpose of taking the above measures.[13]

The regulator for the PECR is the ICO. With regard to breach notification requirements, PECS providers must:

  • notify the ICO of a personal data breach without undue delay. The ICO website specifies that certain essential facts of the breach must be notified to the ICO within 24 hours of a provider become aware of such facts;[14] and
  • if the breach is likely to adversely affect the personal data or privacy of a subscriber or user, notify the subscriber or user of the breach without undue delay unless the provider has demonstrated to the ICO’s satisfaction that it has implemented appropriate technological protection measures which render the data unintelligible to any person who is not authorised to access it, and that those measures were applied to the data concerned in that breach.[15]

Sanctions for breach include fines of up to £500,000.[16] Further, article 31 PECR grants the ICO the same general powers to enforce PECR as under the DPA 1998, including the use of enforcement notices.

GDPR/DPA 2018

Both controllers and processors[17] based in the United Kingdom and based outside of the European Union that offer goods or services in the United Kingdom or monitor the behaviour of individuals in the United Kingdom apply the GDPR and DPA 2018.

Under these laws, controllers must process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.[18] Article 32 extends this obligation to processors, and specifies measures to include (as appropriate):

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

These laws are both regulated in the United Kingdom by the ICO, and in the case of a personal data breach, controllers must notify the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made without 72 hours, reasons for the delay must be provided.

Further, processors must notify the controller without undue delay after becoming aware of a personal data breach.[19] Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, controllers are also obliged to notify data subjects of the breach without undue delay.[20]

Sanctions for breaching the above laws include:

  • for controllers: fines of up to €20 million or 4 per cent of the total annual worldwide turnover, whichever is higher;[21] and
  • for processors: fines of up to €10 million or 2 per cent of worldwide turnover, whichever is higher.[22]

The ICO also has the power to impose an absolute ban on processing any personal data, or a ban on the processing of certain descriptions of personal data in a particular manner or at a particular time.[23] An enforcement notice can only be imposed for certain types of breaches,[24] including breaches of data subjects’ rights and failure to notify the ICO of a personal data breach.

Directors are also personally liable to be prosecuted for criminal offences committed by their company under the DPA 2018.[25]

NIS Regulations 2018

Operators of essential services (OESs) in the energy, transport, health, drinking water supply and distribution, and digital infrastructure sectors that satisfy certain threshold requirements under Schedule 2 of the NIS Regulations oversee its application. Any OES that provides services in the United Kingdom falls within the scope of the NIS Regulations, regardless of where it is actually based. OESs must take appropriate and proportionate measures to:

  • manage risks posed to the security of the network on which their essential service relies, which measures must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed; and
  • prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of an essential service, with a view to ensuring the continuity of those services.[26]

Relevant digital service providers (RDSPs) also apply the NIS Regulations. Essentially, an RDSP is any provider that:

  • provides an online marketplace, search engine or cloud computing service;
  • has a head office or nominated representative in the United Kingdom; and
  • satisfies certain size and turnover thresholds.

RDSPs must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide, within the European Union, either an online marketplace, online search engine or cloud computing service.[27]

Schedule 1 of the NIS Regulations designates sector-specific competent authorities for OESs, and the ICO is the competent authority for RDSPs.

In the case of a breach, an OES must notify its designated competent authority without undue delay and in any event no later than 72 hours after becoming aware of any incident that has a significant impact on the continuity of the essential service the OES provides.[28] RDSPs must notify the ICO without undue delay and in any event no later than 72 hours after becoming aware of any incident having a substantial impact on the provision of any of the relevant digital services.[29]

Fines of up to £17 million will be issues for breaching the NIS Regulations.[30] The relevant competent authority can also serve an enforcement notice prescribing steps that an OES or RDSP must take in order to rectify a failure to fulfil its security duties under article 10 or article 12.

FCA Handbook

Financial services firms regulated by the FCA apply the FCA Handbook, under which there are no cybersecurity-specific provisions, but firms are required to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems.[31]

Under the FCA Handbook, a firm reports material cyber incidents to the FCA. An incident may be material if it:

  • results in significant loss of data or the availability or control of a firm’s IT systems;
  • affects a large number of customers; or
  • results in unauthorised access to, or malicious software present on, a firm’s information and communication systems.[32]

There are no upper limits on fines.

Overview of recent enforcement cases

Pre-GDPR

In the years before the implementation of the GDPR, the ICO issued a large number of fines for data breaches and cyber incidents under the DPA 1998. An analysis of these – and particularly the larger fines – sheds some light on their initial enforcement patterns. Table 1 below shows some of the more recent enforcement actions under the DPA 1998.

Table 1: DPA 1998 enforcement (non-nuisance cases)

Date

Company

Incident

Fine

20/08/2018

Equifax Ltd[33]

US parent company processed UK individuals’ confidential data; hundreds of millions affected; hackers gained access to data.

£500,000[34]

28/08/2018

BUPA Insurance Services Limited[35]

Employee sold policyholders’ data on the dark web; over 500,000 individuals affected; and ‘material inadequacies’ in security measures.

£175,500

24/09/2018

Facebook Ireland Ltd & Facebook UK Ltd[36]

‘Unfair’ processing of data leading to the Cambridge Analytica scandal; failure to have appropriate technical/organisational measures; third parties harvested data.

£500,000[37]

12/04/2019

Bounty (UK) Limited[38]

Sharing personal data of young mothers and children with third-party marketing agencies without making it clear to users that their data might be used in this way.

£400,000

19/07/2019

Life at Parliament View Ltd[39]

Leaving customer data exposed for two years; numerous security errors; failure to have technical/organisational measures

£80,000

There are clear patterns that can be observed from the above enforcement cases.

First, the size of the fine imposed by the ICO is likely to be positively correlated to the number of individuals affected by the data breach or cyber incident. For example, the number of affected data subjects in the Parliament View case was 18,610, while in the Facebook and Equifax cases the affected population numbered in the millions.

Secondly, the two companies subjected to the maximum penalty allowed under the DPA 1998 are both global conglomerates, suggesting that the ICO may have regard to the size of an organisation when determining the appropriate standards against which to judge its acts or omissions and subsequently decide upon the appropriate monetary penalty.

Third, the ICO is also likely to impose a heftier fine where a data controller’s failure to adequately safeguard personal data resulted in the actual unauthorised access and misuse of backdated data by a third party. This can be contrasted with cases where there was a technical breach of the DPA by the data controller, but no data was actually accessed illegally by third-party hackers or other organisations.

Lastly, where a data breach involves potentially vulnerable groups of data subjects, the ICO is likely to take this into account as an aggravating factor when assessing the seriousness of the breach. In the Bounty case, the ICO gave particular weight to the fact that (1) the data subjects involved were new mothers or mothers-to-be and very young children; and (2) the unlawfully disclosed data included information relating to individuals’ pregnancy status and the number, age and gender of their children, thereby creating a real risk of distress for those data subjects.[40]

Post-GDPR

Table 2 below summarises two examples of recent enforcement action under the GDPR.

Table 2: GDPR Enforcement

Date

Company

Breach

Fine

08/07/2019

British Airways PLC

Hackers diverted customers away from website and fraudulently harvested data; ‘poor security measures’; affected 500,000 customers.

£187,390,000[41]

09/07/2019

Marriott International Inc

Exposing nearly 339 million guest records globally; insufficient due diligence when acquiring subsidiary.

£99 million[42]

In light of increasing privacy concerns and increased regulatory powers under the GDPR, we can expect greater fines and enforcement under privacy laws in the European Union in general. Under the GDPR, the ICO fined British Airways PLC the sum of £187.39 million (around 1.5 per cent of their turnover in financial year 2018) following a cyber incident in September 2018, which diverted their website users to a fraudulent site that harvested their customers’ data. The breach affected around 500,000 customers, and the ICO noted in its press release that ‘poor security arrangements’ at the company were partly to blame.[43] Similarly, the ICO issued a notice of intent to fine Marriott International, Inc the sum of £99 million in connection with a cyber attack where hackers stole 339 million guest records (including those of UK and EU citizens) dating back to 2014. The ICO provisionally noted that the company had not undertaken sufficient due diligence when it acquired Starwood Hotels & Resorts Worldwide (where the breach originated).[44] This highlights the importance of both legal and technical due diligence in mergers and acquisitions transactions, and the risks that follow if issues such as this are overlooked. At the time of writing, these fines remain only provisional.

It appears from the British Airways and Marriott cases that similar DPA enforcement patterns are emerging under the GDPR: the ICO has continued to impose large fines where it believes that global conglomerates failed to take adequate measures to protect their customer records from cyber attack, resulting in data breaches that affected large numbers of individuals. The difference now is that the ICO is able to impose much higher fines under the GDPR, although notably these fines still fall short of the upper limit (4 per cent of an entity’s annual revenue) permitted by the legislation.

Global enforcement trends

In general, there is a global trend towards greater enforcement of privacy and data related breaches. In the United States, for example, the Federal Trade Commission recently imposed a record fine of US$5 billion on Facebook for allowing third-party applications to download the users’ data on the Facebook platform.[45] The fine related to the Cambridge Analytica scandal, which affected around 50 million Facebook users and centred around the default ‘opt-in’ setting for a third-party application that harvested the user’s friends’ data. Facebook also agreed to stricter controls and regulatory oversight by privacy and consumer protection agencies, including establishing of an independent privacy committee made up of Facebook’s board of directors, quarterly compliance certifications, and a 20-year commitment to overhaul privacy governance at the company.

Additionally, in August 2019, the state of New York passed a bill for the Stop Hacks and Improve Electronic Data Security Act (or SHIELD Act) to take effect in March 2020. The SHIELD Act is a significant development in this area because it imposes specific data security requirements on businesses that own or license private information and stipulates particular breach notification obligations, and leaves enforcement to the New York Attorney General. California has also passed two pieces of legislation governing cybersecurity, both of which are due to come into force on 1 January 2020. The first is Senate Bill No. 327 (the Bill), which governs the cybersecurity of internet of things (IoT) devices. The Bill requires manufacturers of IoT devices to include ‘reasonable’ security features appropriate for the relevant device. The second is the California Consumer Privacy Act 2018 (CCPA), which largely parallels the European Union’s GDPR and will include a private right of action for data breach incidents in California.

UK criminal enforcement of cyber crime

The relevant agencies

The UK government has established the National Cyber Crime Unit (NCCU) as a division of the National Crime Agency. The NCCU heads up and directs the United Kingdom’s response to cyber crime, provides specialist capability to support other law enforcement agencies and coordinates the national response to the most serious of cyber threats.

The NCCU works closely with the Metropolitan Police Cyber Crime Unit, a team of specialist detectives within the Metropolitan Police responsible for investigating complex cyber crime and fraud. Local forces will usually have their own cyber unit, but will refer the more serious cyber incidents to either this unit of the Metropolitan Police or the NCCU.

The ICO and the DPP have the power to prosecute the offences relating to the misuse of personal data set out at sections 170–173 of the DPA 2018. The written consent of the DPP is required in order to bring a private prosecution.

Legislation

Computer Misuse Act 1990

Despite its age, the Computer Misuse Act (CMA) 1990 (as amended) is the primary statute in the UK that criminalises acts that facilitate or result in breaches of cybersecurity. The CMA 1990 creates five offences:

  • Unauthorised access to computer material (section 1): for example, using someone’s password to gain access to specific data without their permission. This offence is punishable by, on summary conviction, imprisonment for a term not exceeding 12 months or a fine, or both; and, on indictment, imprisonment for a term not exceeding two years or a fine, or both.
  • Unauthorised access with the intent to commit or facilitate commission of further offences (section 2). The further offences must in themselves carry a sentence of five years’ imprisonment or more (eg, theft), meaning that this section is likely to be used for offences such as unauthorised access to a business’s records to steal customers’ credit card details. This offence is punishable by, on summary conviction, imprisonment for a term not exceeding 12 months or a fine, or both; and, on indictment, imprisonment for a term not exceeding five years or a fine, or both;
  • Unauthorised acts with intent to impair, or recklessness as to impairing, the operation of a computer (section 3): for example, by a denial of service attack or the insertion of malware into a computer programme. This offence is punishable by, on summary conviction, imprisonment for a term not exceeding 12 months or a fine, or both; and, on indictment, imprisonment for a term not exceeding 10 years or a fine, or both;
  • Unauthorised acts causing or creating risk of serious damage (section 3ZA). This offence was introduced by the Serious Crimes Act 2015 and is an aggravated form of the section 3 offence, designed to cater for serious computer misuse that (for example) damages critical national infrastructure and where the maximum penalty available under section 3 is inadequate. This offence is indictable only with a maximum of 14 years’ imprisonment for cyber attacks causing, or creating a significant risk of severe economic or environment damage or social disruption; and a maximum of life imprisonment for cyber attacks that result in loss of life, serious illness or injury or serious damage to national security; and
  • Making, supplying or obtaining articles (eg, hacking tools) for use in offences under sections 1, 3 or 3ZA (section 3A).[46]

The CMA deals with the borderless nature of cybercrime by conferring broad jurisdiction on the English courts to deal with the above offences, provided a ‘significant link’ can be established between the offence and the United Kingdom. A significant link comprises any one of the following: the accused was a United Kingdom national at the time the unauthorised act was committed; the accused was in the United Kingdom at the time the unauthorised act was committed; the computer subject to the unauthorised act was in the United Kingdom at the time; or (in respect of section 3ZA) the unauthorised act caused or created a risk of serious damage in the United Kingdom.[47]

Fraud Act 2006

A person found guilty of an offence under Section 3A of CMA 1990 might also be guilty of an offence under the Fraud Act 2006, if the ‘article’ made, supplied or obtained was intended for use in fraud. An offence of making or supplying articles for use in fraud under section 7 of the Fraud Act is punishable by a maximum of 10 years’ imprisonment, while an on offence of possession of articles for use in fraud under section 6 is punishable by maximum of five years’ imprisonment.

DPA 2018

Section 170 of the DPA 2018 creates offences of: the deliberate or reckless obtaining, disclosing, procuring and retention of personal data without the consent of the data controller; and the sale (or offering for sale) of data obtained in such manner. Additionally, section 198 creates personal liability for directors to be prosecuted for criminal offences committed by their company.

As noted above, proceedings for offences under section 170 may be instituted only by the ICO, or by or with the consent of the DPP.[48]

Despite proposals made during the passage of the bill that certain offences created by the DPA 2018 be punishable by imprisonment, the DPA 2018 preserves the status quo of financial penalties only. While the Crown and Magistrates’ Courts can impose unlimited fines, there is little authority on the appropriate level of fines for the section 170 offences. Most cases brought by the ICO for offences under section 55 of the DPA 1998 (the precursor to section 170 DPA 2018) resulted in fines in the hundreds or low thousands of pounds.

Other noteworthy developments of cybersecurity offences

In 2018, the total number of cyber attacks identified by entities fell; however, those entities that identified cyber attacks faced multiple attacks, with some entities identifying triple the average number than in previous years.[49] Graph 1 below shows the total number of ‘non-cyber personal data breaches’ across all sectors in the UK in the fourth quarter of 2018–2019 and Graph 2 below shows ‘cyber personal data’ breaches for the same period.[50]

Graph 1: Non-cyber personal data breach reports received, Q4 2018–19 (total breaches: 2,577)

Graph 1: Non-cyber personal data breach reports received, Q4 2018–19 (total breaches: 2,577)
Source: Information Commissioner’s Office: Data Security Incident Trends 2019, licensed under the Open Government Licence

Graph 2: Cyber personal data breach reports received, Q4 2018–19 (total breaches: 686)

Graph 2: Cyber personal data breach reports received, Q4 2018–19 (total breaches: 686)
Source: Information Commissioner’s Office: Data Security Incident Trends 2019, licensed under the Open Government Licence

The data indicates that businesses are becoming savvier when it comes to cybersecurity planning and investing in cybersecurity software and are, generally, more alert to potential issues. However, another explanation could be changes in attacker behaviour, changes in the way businesses are responding to or identifying cyber attacks and, indeed, changes in the way businesses are responding to the survey itself. The latter could, for example, be owing to an organisation’s unwillingness to admit to cybersecurity breaches in light of potentially hefty liability under the GDPR. The survey also showed that only 18 per cent of businesses require their suppliers to adhere to any cybersecurity standards, with many businesses failing to consider suppliers as potential sources of attacks. For example, in 2017 the ICO fined TalkTalk Telecom Group PLC £100,000 because third-party IT suppliers were able to access customer data and conduct scam calls.[51] Indeed, the National Crime Agency has listed the omission to consider suppliers as a potential entry point to a company’s IT systems – and thus enabling attacks – as a cause of much cyber crime.[52]

In other related developments, we can see that the establishment of the NCSC at the Government Communications Headquarters and the NCCU at the National Crime Agency signals the importance the government places on cyberthreats. The NCSC, which some are calling the United Kingdom’s ‘cyber defender’, was recently able to identify an attempt to defraud thousands of individuals using a fake email from a UK airport as well as stopping 140,000 phishing attacks and taking down 190,000 fraudulent sites.[53] In a similar vein, the NCCU has ramped up the criminal enforcement of cyber attacks under, inter alia, the Computer Misuse Act 1990 and various fraud legislation[54] at both the national and international levels; in some cases partnering up with Europol, the FBI and the US Secret Service.[55] We also note that the recommendation from the UK government’s Online Harms White Paper may also shape the future of the cybersecurity regulatory framework in the United Kingdom, signalling a more systematic and holistic approach to the concept of online harm, including issues surrounding ‘Adtech’.[56]

At the EU level, we can see the introduction of the Directive on Security of Network and Information Systems (the NIS Directive) and the EU Regulation on Information and Communication Technology (the Cybersecurity Act) signals a shift in the importance of cybersecurity in general but also, specifically, the importance of the EU Agency for Cybersecurity (ENISA). In particular, the Cybersecurity Act gives ENISA a permanent mandate whereby ENISA will offer an as yet voluntary ‘one-stop-shop’ for cybersecurity certification of EU-wide products and services. It is thought that the certification process will give certified products a competitive advantage in the digital single market.[57]

Incident preparation and response: practical advice for companies

There are a number of basic policy and infrastructure measures businesses should have in place in order to report breaches and to minimise damage in the event of a cyber attack. Perhaps most important is having a robust breach response protocol.[58] This includes an awareness of, and planning for compliance with, all relevant notification requirements under the GDPR and related legislation, including stock exchange rules on announcements for listed companies, as well was having a cross-disciplinary team of IT, legal, public relations, compliance, insurance, and human resources staff and advisers in place to ensure a holistic approach to incident management. Particular attention should be paid to the relevant rules that apply to ‘processors’ and ‘controllers’ (as defined in the GDPR). Particular attention should be paid to:

  • who is responsible for identifying a data breach;
  • who the response team members are;
  • how to evaluate and contain a data security breach;
  • how and when to notify individuals, the regulator or law enforcement;
  • handling dialogue with those third parties;
  • managing external communications and media enquiries;
  • remediation measures to be taken following a breach; and
  • how and when to notify individuals and the reasons for so doing.

Response protocols must remain valid and up-to-date, so regular ‘stress tests’ of company protocols are recommended as well as typical IT security tests (eg, penetration testing using other tools).

Businesses should also assess whether they can be insured against cyber attacks. The cyber-insurance industry is growing fast but there are numerous difficulties involved in insuring against cyberthreats.

Some insurance companies are developing services aimed at quantifying and pricing cyber risk by, inter alia, developing their own underwriting models that incorporate numerous cyber-related variables. Until these products are developed, businesses should ensure they review their insurance policies and, where relevant, update policy language to take into account cyberthreats. Indeed, some insurers and security firms may offer response teams and also ‘stress testing’ to asses potential damage in the event of a cyber attack and base insurance pricing from that test.

The authors wish to thank Hui Ying Chee and Jujhar Dhanda for their assistance in writing this chapter.


Footnotes