Legal framework

Legislation

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

There is no dedicated comprehensive cybersecurity law in England and Wales. Rather, there are numerous statute-based laws, underpinned by the possibility of civil actions in common law. These:

  • criminalise unauthorised interference with computers (the Computer Misuse Act 1990 (CMA));
  • criminalise the interception of communications, including communications sent or received by computers (the Investigatory Powers Act 2016 (IPA));
  • impose obligations to protect ‘personal data’ (rather than data more generally) by the application of security measures. The three key pieces of legislation are the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA), and the Network and Information Systems Regulation 2018 (NISR); and
  • criminalise actions amounting to fraud (the Fraud Act 2006 (FA)) and infringing intellectual property rights (the Copyright, Designs and Patents Act 1988).

English law predominantly seeks to encourage cybersecurity by punishing breaches (notably failures by data controllers and processors to keep personal data secure) rather than by reward.

Acts that would otherwise be breaches of law are made lawful where conducted by state agencies principally in the interests of national security and for the prevention and detection of serious crime in accordance with the authorisation regimes established under the IPA, the Police Act 1997 and the Intelligence Services Act 1994.

The GDPR applies to personal data processing carried out by organisations operating within the EU and those operating outside the EU that offer goods or services to individuals in the EU. It does not apply to processing carried out for law enforcement purposes or national security purposes, or to purely domestic or household processing by individuals. Data controllers must also be able to demonstrate compliance with seven high-level data protection principles. The Information Commissioner’s Office (ICO) has provided guidance amplifying these principles. Breach of them can lead to the imposition of substantial administrative fines imposed by the ICO. The regulator may also prosecute offenders in the criminal courts for offences under the DPA and has consulted on whether it should have powers under the Proceeds of Crime Act 2002 to prevent criminals benefitting from data-related offences.

The DPA complements, amplifies and provides exceptions to the provisions of the GDPR. Subject to particular statutory defences, the DPA criminalises certain behaviour in relation to personal data, including knowingly or recklessly obtaining or disclosing it without the consent of the controller (blagging). It also regulates the processing of data by various authorities, such as the Serious Fraud Office, the Financial Conduct Authority (FCA) and the National Crime Agency (NCA).

The NISR applies to operators of essential services (OES) (eg, water, transport and energy) and relevant digital service providers (RDSPs) (eg, online search engines available to the public, online markets and cloud computing services). The NISR requires appropriate and proportionate technical and organisational measures to manage risk of disruption. Incidents that have a significant impact on the continuity of an essential service must be notified to the applicable competent authority. Where incidents are suspected of having a cybersecurity element, operators are also strongly encouraged to contact the National Cyber Security Centre (NCSC).

The CMA provides for criminal offences on the basis that: (i) a person causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured; (ii) the access he or she intends to secure or to enable to be secured is unauthorised; and (iii) if he or she knows at the time when he or she causes the computer to perform the function that this is the case, then he or she is guilty of an offence. These offences are punishable by imprisonment, some carrying a maximum sentence of life imprisonment where the attack causes or creates a significant risk of serious damage to human welfare or national security.

Securing access to a computer or a program encompasses many different actions. ‘Computer’ is not defined in the CMA. Access is unauthorised if done by a person other than one who has responsibility for the computer and is entitled to determine whether the act may be done or is done without the consent of such a person.

The CMA creates further offences where unauthorised access is sought with a view to committing other offences (eg, theft or fraud), or to impair the operation of a computer, which would include the implanting of viruses or spyware and DDoS attacks. In these cases, the penalty can be up to 10 years’ imprisonment. The CMA also criminalises the obtaining, making, adapting, supplying or offering of articles for committing the CMA offences.

Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

Cybersecurity laws and regulations affect all organisations processing or controlling data. The GDPR applies specifically to personal data (broadly, data from which a living person can be identified).

There are no specific sectoral laws, but organisations of any size must meet the GDPR requirements to the extent that they process personal data. Extensive guidance is addressed to all businesses and sectors because of the pervasive nature of the threats. There are some examples of particular guidance, for example, the Payment Card Industry Data Security Standard, which must be complied with by all organisations that accept, store, transmit or process cardholder data. The finance sector has perhaps considered cybersecurity matters for longer, and in greater depth, than other sectors.

According to one survey, the proportion of UK firms reporting a cyberattack in 2019 was 55 per cent, up from 40 per cent in 2018, with each of the 15 sectors reporting an increased number of attacks. The sectors experiencing the highest number of incidents were technology media and communications, government and financial services. Encouragingly, the same survey found an increased willingness among firms to learn from and change cybersecurity practices following cybersecurity incidents.

Professional bodies and regulators are increasingly embedding national strategies and guidance into their own regulatory guidance. The Law Society contributed to the NCSC’s 2018 report on cyberthreats to the UK legal sector, and its website includes a page dedicated to practical cybersecurity advice, educational webinars and endorsed partner products and services to help mitigate cybersecurity threats (https://www.lawsociety.org.uk/support-services/practice-management/cybersecurity-and-scam-prevention/cybersecurity-education-and-learning/). In the financial sector, the FCA has prioritised cybersecurity through ‘soft guidance’ measures, including advice-sharing (https://www.fca.org.uk/publications/research/cyber-security-industry-insights) and senior-level speeches, as well as emphasising the regulatory obligation to report material cybersecurity incidents under Principle 11 of the FCA Handbook.

Has your jurisdiction adopted any international standards related to cybersecurity?

At a legislative level, the government has implemented the GDPR, the Law Enforcement Directive, the NISR and Directive 2013/40/EU, which was aimed to create a unified approach to the types of and punishments for cyber offences through the EU. The government has also passed the Privacy and Electronic Communications Regulations 2003 (PECR) implementing Directive 2002/58/EC, thereby imposing obligations on public electronic communications service providers to take appropriate technical and organisational measures to safeguard the security of their services.

At a non-governmental level, the International Organization for Standardization’s ISO 27001:2013 sets out information security standards, including requirements for the assessment and treatment of risks tailored to the needs of an organisation, as well as generic requirements. ISO 27000:2016 provides an overview of information security management systems, and terms and definitions commonly used in the Information Security Management System family of standards.

The ISO standards are not a legal requirement to meet government standards, but where an organisation does apply them to its data operations, this would give comfort that in the event of a civil suit, civil penalty or even in the event of a prosecution for a DPA offence, the organisation should be able to advance an arguable defence.      

Given the transnational nature of cybercrime, there is a recognition that a purely national approach to cybersecurity would be inadequate, and the UK’s participation with international bodies post-Brexit has been the subject of considerable debate. Ongoing international cooperation is in everyone’s interests, and it is hoped that post-Brexit, the UK will continue to participate as a third country in EU cybersecurity bodies, such as the European Union Agency for Network and Information Security (https://www.enisa.europa.eu/about-enisa) and the NIS Cooperation Group.

What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

Responsible personnel and directors have the normal obligations to act in the interests of the corporate bodies that they represent. For instance, section 174 of the Companies Act 2006 requires a company director to attain the standards of ‘a reasonably diligent person with . . the general knowledge, skill and experience that may reasonably be expected of a person carrying out the functions carried out by the director in relation to the company’. Personal liability for breaches could follow if directors fail to meet those standards. Section 198 of the DPA also provides for liability of directors and officers for certain offences committed with the consent of, or that are attributable to the negligence of, the director. Article 82 of the GDPR provides for liability of data controllers and processors for breaches of their GDPR obligations.

How does your jurisdiction define cybersecurity and cybercrime?

There is no overarching statutory or case law definition of cybersecurity or cybercrime. Cybercrime could mean anything from an individual being targeted by an email scam to a state-sponsored attack against another state’s infrastructure (or anything in between). Perhaps the clearest definition is provided in the government’s National Cyber Security Strategy, which states that it consists of two interrelated forms of criminal activity: cyber-dependent crimes, which can only be committed through Information and Communications Technology (ICT), and cyber-enabled crimes, which are traditional crimes ‘scaled-up’ by the use of ICT.

Information system security and cybercrime enforcement are considered distinct by UK law enforcement but are intrinsically linked in that without appropriate information security systems in place (as part of a risk-based approach), the risk of those entities falling victim to cybercrime is considerably increased.

The NCSC defines a cybersecurity incident as a breach of a system’s security policy affecting its integrity or availability and the unauthorised access or attempted access to a system. Commonly occurring incidents in the first category include attempts to gain unauthorised access to a system or data, malicious disruption and denial of service. By contrast, significant cybersecurity incidents are those that impact the UK’s national security or economic well-being.

What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

A ‘one-size-fits-all’ approach to cybersecurity would be impractical in a varied and complex economy. UK legislation, therefore, adopts a risk-based approach rather than prescribing specific measures. It is a matter for regulated entities to determine how best to achieve the requisite security standards, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing undertaken. The ICO recommends consideration of both physical security and cybersecurity. Although the GDPR does not require data encryption, it is likely to be regarded as a standard measure, and failure to implement it may give rise to regulatory action.

The NISR requires OES to identify and take appropriate and proportionate measures to manage the risks posed to security and network information systems. The relevant considerations are very similar to those under the GDPR, though the cost of implementation should not be a factor under the NISR.

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

Cyberthreats to intellectual property are addressed by criminalising the way in which the property is unlawfully obtained and by criminalising its improper use.

Obtaining intellectual property by means of cyberattack would be covered by many of the offences under the CMA and the FA, notably fraud by false representation, given that the offence covers any act whereby an individual dishonestly makes false representations to cause a gain or a loss. This can include purporting to be the person to whom the data relates or belongs.

The use of data that has been misappropriated will often also be criminal. Section 107 of the Copyright Designs and Patents Act 1988 establishes a range of offences committed by those who for commercial purposes infringe copyright by making or dealing with infringing articles when they know or have reason to believe they are infringing.

The new EU Copyright Directive 2019/790, due for transposition into the national laws of EU member states by 7 June 2021, is considered the largest overhaul of digital copyright law in the past 20 years. It remains to be seen as to how the Directive will be implemented in the UK as a result of the UK’s Brexit negotiations.

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

Critical national infrastructure and sectors providing essential services are likely to fall within the definition of OES under the NISR. They must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential services rely, and take appropriate and proportionate measures to prevent and minimise the impact of security incidents affecting those systems. Penalty notices may be imposed where a particular OES fails to achieve to these standards.

When attacks take place, perpetrators may be prosecuted under the CMA for knowingly using a computer for an unauthorised purpose that causes or creates a significant risk of damage to human welfare, the environment, the economy or national security of any country (section 3ZA CMA). The infrastructure and sectors that this law seeks to protect from ‘disruption’ include food, energy, fuel and water, in addition to communication and transport networks and health services. Offences under this section where there is a significant risk of serious damage to human welfare or national security carry maximum sentences of life imprisonment (with 14 years’ imprisonment for any other offence under this section).

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?

To avoid damaging national security, there are limitations on sharing information obtained by state agencies via interception. Where a government agency has, under a bulk or targeted warrant, intercepted communications in the interests of national security or for the prevention of serious crime, it is a criminal offence under the IPA for the communications service provider or a public official to divulge the existence and content of the warrant or authorisation. Other information from government bodies can be shared provided it is compatible with their own statutory obligations (if any) and the requirements of the Human Rights Act 1998 (HRA).

The government actively encourages effective information sharing about threats to tackle cyberthreats and improve cybersecurity.

Sections 19 to 21 of the Counter-Terrorism Act 2008 allow state authorities to share intercepted material or other national security-sensitive information with other intelligence services and private entities if in pursuit of national security or the prevention of serious crime. Section 19 absolves any individual or entity for breach of confidentiality where it is sharing information for national security purposes or for the prevention of serious crime. Similar provisions exist under section 7 of the Crime and Courts Act 2013 for disclosure to the NCA.

Article 8 of the European Convention on Human Rights (the right to privacy and freedom of correspondence), given effect through the HRA, pervades this entire area insofar as privacy may be infringed by domestic public authorities, and limitations to that right must be in accordance with law, proportionate and necessary only for the purposes prescribed in article 8(2), that is in the interests of national security or to prevent or detect crime.

Under the GDPR, where personal data is shared, every data controller must first identify a lawful basis for ‘processing’ it. Processing is a broad term encompassing almost anything involving the data, including its disclosure. Lawful processing necessitates that one or more of the conditions in article 6(1) (a)-(f) of the GDPR apply.

Subject to statutory defences, it is a criminal offence under the DPA for any person, knowingly or recklessly, and without the consent of the data controller, to obtain, disclose or procure the disclosure of personal data or to retain it without the data controller’s consent after obtaining it. Similarly, it is an offence to sell or offer personal data for sale where it was obtained illegally under the DPA. Prosecutions would normally be brought by the ICO, but those convicted of these offences may only be fined.

Where a third party has information relevant to civil proceedings, disclosure of information (eg, personal data) may be possible by an application to the court for a Norwich Pharmacal order.

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

The CMA prohibits unauthorised access to computer material or data (ie. hacking). It is also an offence to carry out unauthorised acts designed to impair computer systems, including the deployment of Trojan horses or worms. The latter can carry a prison sentence of up to 10 years and an unlimited fine on conviction in the Crown Court. It is also an offence to use or obtain for use articles to commit either of the first two offences mentioned.

Section 3 of the IPA criminalises the unlawful interception of communications. The maximum punishment is two years’ imprisonment or a fine, or both.

The offence of unlawfully obtaining personal data is found in section 170 of the DPA 2018.

These offences can be committed by a corporation where liability can be attributed to this legal person through the actions of its directors, officers and those who are senior enough to bind the corporation.

How has your jurisdiction addressed information security challenges associated with cloud computing?

Surveys predict that the worldwide public cloud service market could reach as much as US$623 billion by 2023, with the United States and western Europe forming the largest markets for cloud computing. With that increase comes data security and privacy concerns.

Responsibility for ensuring adequate protection lies with the data controller. Data processors have the same responsibility where they have gained sufficient control over the manner in which the data is processed. Mitigating risk involves undertaking checks on a cloud service provider to ensure it provides sufficient guarantees and takes reasonable steps to ensure GDPR compliance.

The NISR also applies to cloud computing services and imposes further obligations on OES.

Domestic policies on cloud computing in the UK can be found on the ICO’s website (https://ico.org.uk/media/fororganisations/documents/1540/cloud_computing_guidance_for_organisations.pdf), with a useful summary at https://ico.org.uk/your-data-matters/online/cloud-computing/.

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

Although legal and regulatory harmonisation should mean cross-EU similarity in this field, variations may remain, with some countries taking advantage of discretionary ‘opt-outs’ in the GDPR and others regarding GDPR standards as the baseline in data protection.

Third-country organisations processing or storing personal data of any EU subjects outside the EU are likely to be prevented from doing business in the UK or with UK individuals if their own national security requirements and regulations are inadequate. In other words, they must offer protection ‘essentially equivalent’ to that existing within the EU.

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Although much guidance has been issued by governmental bodies, how they achieve the legal standards expected of them in respect of cybersecurity has ultimately been left to organisations themselves.

In 2016, the government updated its ‘10 steps to cyber security’, now complemented by ‘Common cyber attacks: reducing the impact’ (https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security), describing what a common cyberattack looks like and setting out simple and affordable security controls. The Cyber Essentials Scheme also recommends five basic controls to protect against cyberattacks, including the creation of effective firewalls and the use of the latest supported application versions and patches. Additional information is available from the NCSC’s Cyber Security: Small Business Guide; the cross-governmental Cyber Aware campaign; the ICO’s 2016 publication A Practical Guide to IT Security; and the Action Fraud website. The NCSC’s website also contains helpful pages on specific IT security issues, including protecting against ransomware, phishing attacks and email security.

At a non-governmental level, BS 10012:2017 provides a GDPR-compliant personal information management system available to organisations seeking to achieve best standards.

Within government, the Cabinet Office has issued the Minimum Cyber Security Standard, which all departments are expected to achieve or exceed, dealing with threat identification and detection, incident response plans and recovery.

Where industry codes exist, adhering to them may demonstrate compliance with a data controller’s obligation to maintain appropriate cybersecurity. Additionally, the ICO’s Regulatory Action Policy suggests adherence to these codes will be considered when the regulator decides whether and by how much to penalise an organisation for a data breach.

How does the government incentivise organisations to improve their cybersecurity?

In November 2019, the government published the Cyber Security Incentives and Regulation Review 2020: Call for Evidence. (https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/844081/Call_for_Evidence_-_Cyber_Security_Incentives___Regulation_Review.pdf.)

The government wishes to encourage investment in cyber risk mitigation by promoting the view that it fosters business continuity and operational resilience. The Review will assess how the government can intervene directly, without placing unnecessary burdens on business, as well as support and stimulate industry, to help address barriers to effective cyber risk management.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

General cybersecurity advice may be found in the ‘10 steps to cyber security’; however, there are increasing sector-specific examples that seek to inform organisations on the cybersecurity options relevant to them. One is the Institution of Engineering and Technology’s Code of Practice for Cyber Security for Ships, published in conjunction with the Department for Transport.

Are there generally recommended best practices and procedures for responding to breaches?

There is no single source of best practice for responding to data breaches. Instead, multiple sources of public, private, national and overseas guidance exist. Reflecting the often over-lapping nature of this guidance, joint advice is increasingly offered, such as the GDPR Security Outcomes guide from the NCSC and ICO (https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes). It includes sections on avoiding and planning for breaches.

Carefully thought-out cybersecurity policies and rehearsals are crucial, particularly given the time constraints for reporting to the ICO. The number of businesses estimated to have a formal reporting policy has increased to 33 per cent. Though a cybersecurity policy should include technical matters, such as antivirus software, patches and backup recovery plans, a company should implement regular staff training to try to prevent situations arising in the first place and to enable them to recognise, understand and avoid the risks, as well as know what to do and who to alert in the event of a breach.

A company’s cybersecurity policy should incorporate an incident response management plan. Internally, a senior member of the company should ideally take control, enlisting the assistance of in-house counsel, the IT department and Human Resources, as well as external advisers (eg, forensic experts, lawyers and PR consultants) as necessary. The external consultants should ideally be identified before an incident occurs.

When incidents occur, best practice suggests that the priority must be to ascertain and record precisely what has occurred, who was involved and what data has been lost. A proper assessment can then be made of the nature and seriousness of the data breach, whether it is ongoing and how it can be stopped, as well as the likely implications for both data subjects and the organisation.

Having done this, a reasoned assessment can be made about whether the GDPR reporting threshold has been reached, and whether and how the data subjects affected should be informed so they may take precautionary measures and mitigate any financial losses arising from the incident. Consideration should also be given to any contractual or professional notification obligations. If a company believes it has been the victim of crime, it may decide to inform the police, the NCA or the NCSC and will consider whether any ensuing harm could be prevented by seeking injunctive relief. Simultaneously, once news of a data breach goes public, a company may face questions from its staff and possibly external sources, necessitating a coordinated media response.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Encouraging organisations to report attacks is key to combatting cyber incidents. There are no requirements or incentives, although the government has tried to promote the sharing of information about cyberthreats through the Cybersecurity Information Sharing Partnership. The City of London Police set up the soon to be superseded Action Fraud website for reporting online fraud, scams and extortion. Cyber incidents may be reported directly to the NCSC when they have an impact on the UK’s national security or economic well-being, affect a large proportion of the UK population or jeopardise the continued operation of an organisation.

See ‘Scope and jurisdiction’.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The National Cyber Security Strategy, running to 2021, acknowledged the transformation that digital connectivity was bringing about for both public and private enterprise but emphasised the significant role played by businesses and organisations in the UK’s national response to cyberthreats.

Recognising the importance of a partnership between the government and private sector in the development of cybersecurity standards, the NCSC’s website has a dedicated partnership page listing efforts aimed at developing cross-sector cybersecurity capabilities within the UK. Included are details of educational bursaries and work placements to nurture the future cybersecurity workforce, educational events aimed at existing cybersecurity professionals, and the Industry 100 initiative to facilitate close collaboration with private sector talent in the field of cybersecurity by encouraging part-time secondment to the NCSC to promote the exchange of knowledge and expertise.

On the industry-side, techUK represents more than 850 commercial entities involved in the cybersphere, including FTSE 100 companies, small and medium-sized enterprises and start-ups. The body works with key stakeholders to inform debate about the future development and application of technologies.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance is available to mitigate cybersecurity risks. The market was often considered underdeveloped, but it is now growing. As a result of the potential risk of exposure and the shortage of actuarial data resulting from underreporting, insurers have been cautious to provide policies. Nevertheless, as incidences and the consequences of cybersecurity breaches increase, demand for insurance has been increasing. The potential financial and reputational cost to businesses is staggering, especially when a company faces the double catastrophe of direct financial loss resulting from the breach and a fine if personal data has been compromised.

Enforcement

Regulation

Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

The regulatory authorities primarily responsible for enforcing cybersecurity rules are the National Cyber Crime Unit (NCCU), which is a dedicated unit within the NCA and the ICO. Where national security is at risk, the UK’s security and intelligence agencies will also be involved.

In addition to the NCCU and the ICO, professional regulators such as the FCA and the Solicitors Regulation Authority oversee cybersecurity in particular sectors.

Cybercrime is generally prosecuted by the Crown Prosecution Service although the ICO also has powers to prosecute under the CMA and the DPA.  

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

The powers of the authorities to monitor and investigate criminal offences are the same as those for criminal investigations generally. Material can be obtained by the NCA or the police through court orders or interviews (and searches without notice can be carried out with the appropriate permissions). Covert surveillance and interception are also possible, again with the necessary IPA permissions. Intercept evidence is generally not admissible in criminal proceedings in England.

The ICO’s role and powers are contained in Parts 5 and 6 of the DPA. The types of regulatory action in which the ICO engages are described in its Regulatory Action Policy. Those activities include conducting compliance assessments, issuing urgent information notices, entering premises, requiring documents and interviewing staff.

It is a criminal offence to obstruct a person executing an ICO warrant.

What are the most common enforcement issues and how have regulators and the private sector addressed them?

The government’s 2019 Cyber Security Breaches Survey identified the most common UK cyberattacks as phishing, viruses, spyware and identity theft. However, overall, there was a significant decline in the number of companies identifying breaches or attacks. Though greater awareness may be leading to increased cybersecurity, cybercriminals may be becoming more focused, targeting easier victims. The average cost of these incidents for business was found to have risen by around 32 per cent.

The year 2019 saw a small number of criminal prosecutions under the CMA, almost exclusively for unauthorised access offences. Perhaps the most prominent of these was brought by the NCA, which successfully prosecuted a 24-year-old hacker who had used sophisticated ransomware attacks between 2012 and 2014 to blackmail those visiting adult pornography sites. The sum involved in the offence is believed to have been at least £4 million, laundered through cryptocurrency platforms. The offender was sentenced to over six years’ imprisonment.

Where cybersecurity breaches involving personal data occur, the ICO has shown itself to be increasingly willing to exercise the GDPR fining powers available to it against organisations failing to meet the necessary standards. In July 2019, the regulator imposed a fine of £183 million on British Airways (approximately 1.5 per cent of the airline’s turnover) for poor data security that compromised the personal data of 500,000 customers. The same month, the ICO fined international hotel group Marriott after hackers stole the personal data of millions of guests. The fines demonstrate the regulator’s willingness to target even the highest-profile organisations.

What regulatory notification obligations do businesses have following a cybersecurity breach? Must data subjects be notified?

Under the GDPR, once aware of a data breach (ie, a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data), a data controller must notify the ICO without delay and within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where there is a high risk to the rights and freedoms of data subjects, they too must be informed without delay unless the data involved was unintelligible (eg, by encryption), the high risk is unlikely to materialise as a result of remedial steps taken by the controller or where notification would involve disproportionate effort.

Similarly, under the PECR, organisations providing electronic messaging services to the public (eg, telecoms providers and ISPs) must notify the ICO of personal data breaches within 24 hours of detection. Subscribers and users must also be notified where personal data breaches are likely to adversely affect their personal data or privacy. Under the NISR, OES must notify their designated competent authority within 72 hours of becoming aware of any incident significantly impacting continuity of service provision.

Penalties

What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

Article 83 of the GDPR sets out two categories of offence. The first carries a maximum penalty of up to 2 per cent of a business’s global annual turnover or €10 million, whichever is greater. This includes failures to take adequate security measures to protect personal data. The second category of offence carries a maximum penalty of up to 4 per cent of a business’s global annual turnover or €20 million, whichever is greater. Within this category are individual offences related to the processing principles, the rights of data subjects and obstruction of the ICO. The lists of offences in both categories are not exhaustive and may be expanded in the future.

The ICO’s Regulatory Action Policy suggests the heaviest penalties will be imposed on organisations that repeatedly and wilfully transgress their obligations and where formal regulatory action would serve as a deterrent to others. When deciding on the level of the penalty imposed, the ICO will take into account aggravating factors (eg, whether an organisation has made any financial gain as a result of the failure to report).

What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

Under the GDPR, failure to notify the ICO of a notifiable breach within 72 hours of becoming aware of the breach risks the imposition of a fine of up to €10 million or 2 per cent of a company’s global annual turnover, whichever is higher.

Under the NISR, failure by an OES or an RDSP to notify its competent authority of a network and information systems incident within 72 hours may lead to the imposition of severe financial penalties (up to £17 million) in the worst-case scenarios where the material contravention caused an incident jeopardising life or risking a significant adverse impact on the UK economy.         

Under the PECR, personal data breaches must be notified to the ICO without undue delay and within 24 hours. Failure to do so may result in a fixed penalty of £1,000, though more serious breaches can lead to the imposition of heavier monetary penalties.

 

How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?

Private redress can be pursued civilly. A cyberattack, for example, will often involve civil wrongs, such as some form of deceit, and liability may rest with a director who fails to properly consider, address or implement sufficient cybersecurity systems and measures.

Data subjects may also lodge complaints to the ICO where breaches of the GDPR or the DPA occurred involving their personal data. Though the ICO cannot award compensation, a regulatory breach finding could then be used in subsequent civil proceedings brought by the aggrieved data subject. However, a finding by the ICO that there has been a breach is not a prerequisite of a civil claim, and a data subject may bring proceedings against a data controller or processor where damage (including distress) can be proved.

Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

While the NCSC and the ICO offer guidance on cybersecurity, there are no requirements for organisations to implement specific measures such as passwords or encryption, though failure to do so may indicate a failure to adhere to the technical and organisational security standards expected, giving rise to regulatory action and heavier penalties.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Apart from the practical utility for organisations to maintain records to identify systemic issues and improve standards, to be accountable, data controllers must keep records of personal data breaches even where no reporting obligation arises under article 33 of the GDPR. No particular format is prescribed though they must contain the facts relating to each data breach, its effect and the remedial action taken. The ICO requires that similar information is recorded by network and service providers regulated by the PECR in the event of a personal data breach. In the event that a reportable data breach takes place, the ICO may demand to see a data controller’s records.

Under the NISR, regulated entities must maintain records evidencing the appropriate and proportionate technical and organisational measures taken to manage risks to their systems.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

See ‘Regulation’ and ‘Penalties’.

Time frames

What is the timeline for reporting to the authorities?

See ‘Regulation’.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Where notification is required, the GDPR obligates data controllers to communicate personal data breaches to data subjects without delay. Notification should include the nature of the personal data breach and recommendations to mitigate potential adverse effects. The need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.

Update and trends

Update and trends

What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?

As the GDPR is still in the bedding-in period, England and Wales, is unlikely to see obvious further regulation through legislation to increase cybersecurity standards. 

The best bet is that the UK will impose equivalent standards to the GDPR when the transitional period for Brexit ends on or after 31 December 2020. EU standards have become acceptable norms for handling data and controlling the relationship between the data subject and the data processor or controller, and essentially the obligation to keep data secure remains crucial for a well-functioning democracy and the conduct of business, whether as part of the EU or not. 

Companies can have an influence by demonstrating adherence with best practice and insisting that the supply chain and third parties they deal with adopt no lesser standards, using contractual conditions to do so and thereby raising the standards of cyber defence generally and being seen to mitigate the risk of penalties.

One exception to legislative action may be in the field of artificial intelligence (AI). AI is as powerful a tool in understanding and detecting cyberattacks as it is in any area, arguably more so given its unique ability to detect patterns of activity and extrapolate what is learnt to anticipate the next generation of attacks. However, AI remains controversial. Any legislation to control it more generally will have to take into account the crucial role it will play in enabling efficient and better cyber defence.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

Correct on 23 December 2019.