Rohan Massey, Kevin Angle, Edward Machin and Raffi Teperdjian, Ropes & Gray LLP

This is an extract from the second edition of The Guide to Cyber Investigations. The whole publication is available here.

Cyber requirements under EU law and laws in the UK

Many organisations in the European Union and the United Kingdom, and those in the rest of the world that offer products or services to individuals in the EU or UK, associate cybersecurity with four letters: GDPR. However, the General Data Protection Regulation and its counterpart in the UK, the UK GDPR,  are only one thread in a patchwork of cybersecurity laws and best practices in the EU and UK that, when viewed together, comprise some of the most comprehensive security requirements faced by businesses in any region of the world. The challenge of complying with these laws is compounded by their extraterritorial effect. For example, a company with a single office in California offering holiday packages to individuals in the EU or UK may be subject to the GDPR.  Accordingly, the extent to which digital business is now borderless means that the influence and scope of cybersecurity laws in the EU and UK is no longer a strictly regional concern.

The development of the EU's and UK's cybersecurity framework has coincided with a wider appreciation of, and anxiety about, the value – monetary and otherwise – of personal information. Of particular alarm to individuals is the regularity with which data is compromised. These concerns are not unwarranted: in January 2021, it was reported that nearly 281,000 personal data breaches had been notified since the introduction of the GDPR on 25 May 2018.  Even though cybersecurity is now firmly a board-level issue,  many businesses still have insufficient procedures in place to address the loss or disruption caused by cyberthreats. This chapter discusses how important it is that businesses address these gaps, as a matter of priority.

General Data Protection Regulation

The concept of personal data security in the EU and UK does not begin with the GDPR. Indeed, in requiring that data controllers and processors implement 'appropriate technical and organisational measures' to ensure a level of security appropriate to the risks of their data processing, the GDPR  closely tracks the language of the previous legislation (Directive 95/46/EC, the Data Protection Directive (DPD)), which states:

Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. 
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. 

The difference in approaches between 1995 and today is largely one of context, particularly given the change and the degree to which we interact with technology now. Cybersecurity did not rank highly on legislative, corporate and public agendas in 1995. By contrast, high-profile hacks and the misuse of personal data are now so commonplace that enforcement actions arising from organisations' cybersecurity failings have become a key priority for data protection authorities (DPAs), and one that all levels within a business need to engage with. Enforcement by DPAs in the EU and UK indicate that there continues to be a growing appetite to investigate and penalise infringements of the GDPR's security principles,  with fines available under the GDPR of up to €20 million or 4 per cent of global annual turnover, whichever is higher   (though fines of such magnitude have not been imposed and all fines must be proportionate to the offence).  Practitioners should take a two-pronged approach to these requirements: first, by focusing on the technical and organisational measures that comprise an appropriate (i.e., compliant) security programme; and second (and relatedly), by remaining alive to the nuances that will often be required when advising on the GDPR's mandatory data breach notification requirements.

Technical and organisational measures

Practitioners are advised to focus their assessment on an organisation's policies and procedures relating to security, whereas a review of technical requirements or measures will usually be undertaken in conjunction with a third-party security provider. Ultimately, there is no one-size-fits-all approach to GDPR compliance and whether a programme is defensible will be assessed in each case.  That being said, certain baseline standards are likely to apply to most organisations, including network perimeter defences, malware protection, password policies and secure configuration. 

Mandatory breach notification

One of the changes brought in by the GDPR is the requirement to notify data breaches to the regulator and, in certain circumstances, to the individual.  The regulator must be notified without undue delay and within 72 hours of becoming aware of the breach,  otherwise the organisation may face liability of up to €10 million or 2 per cent of global annual turnover, whichever is higher.  The threshold for mandatory notification to a DPA is where there is 'a risk to the rights and freedoms' of individuals;  the requirements for notification to affected individuals are higher still.  While certain breaches will be obviously reportable, some organisations appear to be struggling to assess breaches at the lower end of the spectrum that may not be reportable. In such cases, practitioners should consider any guidance issued by the European Data Protection Board (EDPB) (previously the Article 29 Working Party) or public statements made, and the enforcement actions taken, by the DPA to which a report would be required. Indeed, notwithstanding that the GDPR was designed to harmonise Member States' disparate approaches to implementing the DPD, certain subtle differences in approach among DPAs are already becoming clear in the context of breach reporting.

With that said, most reportable breaches do not result in enforcement. A recent report by the UK Information Commissioner's Office (ICO) is instructive: of the 38,514 data protection complaints the ICO received in 2019/20, only 0.1 per cent resulted in an administrative fine, compliance audit or enforcement notice being served.  These figures should not be interpreted as meaning that the vast majority of breaches are not reportable. However, it does illustrate the point that organisations should not be overly cautious in their assessments of personal data breaches. Practitioners should be aware of the potential liability for failing to notify the regulator. However, if an organisation has undertaken a detailed and reasoned approach to investigating and analysing the breach, has carefully considered its impact (if any) and has documented why notification is not required, its assessment will often be shared by the DPA.

Network and Information Security Directive

Unlike the GDPR, which applies only to the processing of personal data, the Directive on Security of Network and Information Systems  (NISD) is concerned with network security and the continuity of services and applies both to personal and non-personal data. The NISD is the first EU-wide law on cybersecurity and regulates two types of entities: (1) operators of essential services, being critical organisations in the energy, transport, financial services, health, water supply and digital infrastructure sectors; and (2) providers of digital services, being online marketplaces, online search engines and cloud services providers. The NISD allows Member States to choose the maximum fines that their regulators can impose; in the United Kingdom, breaches of the NISD can result in penalties of up to £17 million.

Like the GDPR, the NISD requires covered entities to implement technical and organisational security measures that are appropriate and proportionate to the risks posed  and to report all incidents that have a substantial impact on the provision of their services.  Both laws require covered organisations to consider 'the state of the art'  measures and the risks posed to individuals in designing their security programmes. While both regimes require notification to the appropriate authority (within 72 hours of becoming aware of a reportable incident under the GDPR, and 'without undue delay' under the NISD),  there are a number of key differences in the scope of these obligations. Incident reporting is stricter under the NISD, as any significant disruption of services must be notified. In contrast, although breaches under the GDPR must only be notified if the breach leads to destruction, loss, alteration, unauthorised disclosure of or access to personal data, the notification may require disclosure to a wider audience, namely DPAs and affected individuals.

A breach of one law can result in a breach of the other: for example, an avoidable hack of personal data under the GDPR could be separately enforced under the NISD. In such cases, regulatory guidance   suggests that dual notifications will be required. However, it is unclear whether separate but related actions will be brought by the regulators in such cases.  The answer to this and other questions may be addressed in proposed changes to NISD announced by the EU Commission in December 2020, which include removing the distinction between operators of essential services and digital service providers and expanding the scope of NISD to cover all medium and large companies in selected sectors that are defined by their criticality for the economy and society, as well as smaller businesses with high security-risk profiles. Additionally, there will be an enhanced Cooperation Group to shape strategic policy decisions on emerging technologies and new trends; and increases in information sharing and cooperation between Member State authorities, especially in cyber crisis management. 

Cybersecurity Act

On 27 June 2019, the EU Cybersecurity Act  came into force promoting an EU framework for cybersecurity certification and creating a permanent mandate for the European Union Agency for Network and Information Security (ENISA) to better support Member States in responding to cyberthreats and attacks. The Act strengthened the coordination and cooperation in cybersecurity across EU Member States and EU institutions. The tailored certification schemes established under the Cybersecurity Act allow companies to certify specific categories of information and communication technologies (ICT) products, processes and services only once and obtain certificates that are valid across the EU. The EU-wide cybersecurity certification framework enables companies in the ICT sector to demonstrate that their products and services meet one of three security standards (basic, substantial or high). The intention of the new rules is to improve trust for consumers, as they can choose between products (such as internet of things devices) that are cyber-secure. The one-stop-shop cybersecurity certification is expected to achieve cost savings and remove potential market barriers for enterprises. It is hoped companies will have the incentive to invest in cybersecurity and make this a competitive advantage.

Trends

As technology moves faster than law, so technology crime continues to outpace innovations in security. Cybercriminals tend not to be sentimental – as one patch is rolled out, another vulnerability opens. That being said, we now consider some of the recurring themes in cybersecurity in the EU and UK, as well as highlighting the key trends of which practitioners should be aware.

Targets

Financial services

Given the volume and sensitivity of personal and confidential information that financial institutions process, and the increasing number and sophistication of cyberattacks, information security remains a high priority for the financial services sector.  As highlighted in a Report on the Risks and Vulnerabilities in the EU Financial System by the Joint Committee of the European Supervisory Authorities, a particular concern relates to the measures required to address legacy IT systems.  Indeed, even the process of upgrading these systems can be perilous: in April 2018, UK bank TSB's migration to a new IT platform resulted in millions of customers being unable to access their accounts for up to one week, as well as increased reports of fraud, and rectification being needed.  More recently, the outbreak of covid-19 has required most companies across the EU and UK financial sector and beyond to switch to remote working, resulting in an uptick of digital activity. This greater use of a virtual environment has put even more confidential data and ICT systems at increased risk of becoming targets of hackers and other cybercriminals. 

Consumer-facing businesses

It should come as no surprise that consumer organisations are a prime target for cybercriminals, given the volume and range of data they hold and the variety of ways in which security weaknesses can be exploited – from credit card fraud, to identity and intellectual property theft, among others. At the same time, individuals now expect businesses to have robust security measures in place to protect their data and have a better awareness of their data protection rights. Translated quantitatively, a 2020 report concluded that the average cost of a data breach in the UK is about £2.9 million  (even without including the additional reputational cost). The regularity with which consumer-facing companies are suffering large data breaches (Virgin Media,  British Airways,  Ticketmaster  and Marriott International,  among many others) demonstrates just how difficult it has become for these organisations to give their customers peace of mind – and why criminals continue to target them.

Internet of Things devices

Internet-connected devices offer criminals a wealth of opportunities to access personal data.  That much of this information reveals detailed, and often deeply personal, insights into individuals' private lives makes it especially attractive to bad actors. Approximately 305 million Internet of Things units are predicted to be in use in the EU and UK by 2025,  including for use in 'smart' homes, cars, hospitals, airports and cities. Data about the time we leave and return home, how long we shower, and how much electricity we use can all be used to build profiles that are valuable. The result is that this abundance of new data, being stored in systems with multiple points of entry, is increasingly becoming accessible – and valuable – to cybercriminals. For this reason, the Cybersecurity Act's certification scheme will have an important role in allowing manufacturers of internet-connected devices to demonstrate to consumers that data security is a fundamental aspect of their products and services.

National infrastructure

Cyber incidents affecting critical information infrastructures can have debilitating effects on the security, economy   and health of societies,  and the protection against which is a key pillar of the NISD. With the exception of state-sponsored actors, incidents involving national infrastructure are often less focused on access to information than the widespread disruption that results – the multiple recent malware attacks on Ukraine's power grid being a case in point.  Mirroring the challenges faced by financial services firms, the use of outdated technology in many core infrastructure systems compounds their exposure to even relatively unsophisticated cyberattacks.

Targeted information

Financial and payment data

Hackers most commonly target credit card and debit card details, including 'skimming' data from online retailers by introducing hidden code onto their websites.  They do so in spite of the requirements of the revised Payment Services Directive,  under which payment providers must implement measures to ensure the security of payment transactions and customer data. Criminals also use social engineering techniques, such as phishing campaigns and scam emails,  and sell financial data to third parties in online marketplaces.  In 2018, total card frauds in the EU and UK grew 13 per cent from the previous year, reaching a value of €1.8 billion from 21.05 million separate incidents, of which 79 per cent were carried out online (a 39 per cent increase over five years). 

Traditional personal data

Personal data is any information that relates to an identified or identifiable living individual.  Online digital services have helped turn this data into a financially valuable commodity. Typically, it is targeted (1) to extort individuals (i.e., the victim pays to prevent disclosure), (2) to assist other frauds, and (3) to sell via online markets.  Of all the different types of data targeted by hackers, personal data is the most frequently obtained. 

Non-traditional personal data

Big Data – the use of large data sets produced by a diverse range of sources – is viewed by the European Commission as fundamental to the future knowledge economy.  As part of this drive, esoteric information about all aspects of human life is being collected by governments and businesses with the aim of driving innovation and efficiency.  This includes data on individuals' voices, spending habits and gait, among other things, which can potentially constitute personal data.

Unethical data

Hacking is not always driven by financial or malicious intent; occasionally, 'ethical hackers' seek to expose unpopular or illegal behaviour. The targets of their activities are not limited to any particular industry or the size of the organisation. For example, in 2021, hackers exposed vulnerabilities in security cameras of hospitals, schools, factories, jails, and corporate offices to call attention to the dangers of mass surveillance.  In 2015, a Canadian private company was targeted because it was seen to be promoting infidelity.  The Panama Papers exposed a multinational industry that facilitated fraud, tax evasion and the avoidance of international sanctions.  The most high-profile example is Edward Snowden, who disclosed information about the US National Security Agency and a global citizen surveillance programme.  Although less common than traditional hacking, cases of ethical hacking almost always hit newspapers' front pages and can cause massive reputational harm, as well as potentially legal and regulatory consequences.

Type and nature of actors and actions

Brute force attacks

Brute force attacks involve hacker programs applying trial and error to correctly identify passwords and user names and to find hidden web pages.  The techniques for brute force attacks are largely unsophisticated and easy to notice, which results in the vast majority being negated.  However, the simplicity of such methods means they are easily deployed and are increasingly popular (an estimated 80 per cent of global data breaches related to hacking in 2020 were the result of brute force attacks or use of stolen credentials). 

Government or state-sponsored entities

It is now widely accepted that governments engage in hostile cyber activities to undermine the information and network security of other countries.  The most notorious example is the 2020 SolarWinds hack, in which a major United States information technology firm was subject to a cyberattack that was spread to its many clients going undetected for months.  High-profile cases such as the SolarWinds hack and allegations of increases in cyber incidents involving European infrastructure have significantly raised public awareness of government-targeted hacking.  The unique structure of the EU and UK creates additional challenges, which is being seen in the increasing number of attacks aimed at its IT systems. For example, in 2020, ENISA reported that government administration is among the most targeted sectors for cyberattacks, and that the covid-19 pandemic has contributed to an uptick of attacks in the already strained healthcare sector. 

Criminal attackers

It is estimated that the 2020 cost of cybercrime reached over US$1 trillion – a more than 50 per cent increase from 2018.  By some estimates, cybercrime may be the third-largest economy in 2021.  The financial rewards, coupled with low risks and low conviction rates, means that cybercrime is an increasingly attractive prospect. Revenues are generated through online illegal markets, where criminals can buy and sell stolen information, from companies' intellectual property to personal information. Criminals also make money through extortion, whereby attackers corrupt computer files with ransomware and then exchange the remedy for money.  The ill-gotten gains can then be laundered through legitimate online technologies, such as payment systems and cryptocurrencies such as bitcoin. 

AI-assisted hacking

Artificial intelligence (AI), such as machine learning, has the potential to create computer programs that can evade even the most sophisticated cyber defence systems. Traditionally, it was assumed that only state-sponsored entities had the resources to hack using AI.  However, these assumptions were challenged in 2018 when the American company IBM showcased a hacking program developed with AI at a security conference.  As a result, security experts in the EU and UK are increasingly concerned about AI and its potential for use in hacking and cybercrime. 

Nuances in investigative practices and regulatory enforcement

Regulatory enforcement

Enforcement of the EU and UK's cybersecurity laws has been growing of late with the amount of GDPR fines rising 40 per cent in the past year.  Whereas past enforcement of security failings produced marginal consequences, more recent GDPR enforcement actions have resulted in significantly higher monetary penalties for businesses.

One of the largest fines under the GDPR (€35 million) was issued in October 2020 by the Data Protection Authority of Hamburg against H&M for the company keeping 'excessive' records regarding employees' families, religions, illnesses and details of their vacation activities.  In February 2020, another large fine (€27.8 million) was issued by the Italian Data Protection Authority against Telecom Italia for several instances of 'unlawful processing for marketing purposes'.  The two largest security-related fines issued to date have been from the Information Commissioner's Office's (UK's Data Protection Authority), against British Airways  (€22 million) and Marriot (€20.4 million). 

If there was ever any doubt in the years leading up to GDPR's rollout, and shortly thereafter, that the legislation was capable of empowering regulators with significant enforcement abilities, those notions have clearly been dispelled by now. Indeed, the heightened regulatory focus on data security and breach notification, coupled with the substantial monetary penalties that can be issued under the GDPR and the NISD, indicate that seven- and eight-figure fines for cybersecurity failures will continue to become more commonplace.

Guidance

Along with the growing number of reported decisions in this area, practitioners have a growing body of guidance from which to draw when advising clients on how regulators are likely to view the requirements, and potential violations, of EU and UK cybersecurity laws. At the national level, numerous DPAs have been updating their security guidance to reflect the changes introduced by the GDPR, particularly around breach notification.  At the supranational level, in January 2021 the EDPB issued additional draft guidance on the type of personal data breaches that require notification under the GDPR. Organisations such as ENISA (in relation to the NISD as well as the wider cyber security context) and sector-specific regulators will also have an important role in helping organisations to equip themselves for the challenges they face in becoming, and staying, compliant with applicable cyber laws.

EU and UK litigation considerations

Cybersecurity litigation in the EU and UK remains small relative to longer established areas of regulation. This is to be expected, given that its two main omnibus laws have been in force for less than three years. Nevertheless, practitioners should prepare for a continuing increase in contentious activity in the coming years and beyond, particularly relating to the fallout from personal data breaches and other high-profile security incidents. In addition to the type of follow-on claims that are common in the antitrust sphere, disputes brought directly by data subjects or their representatives are likely to reshape the EU and UK's cybersecurity landscape in a way that was not contemplated (or, in some cases, possible) under the DPD. The extent to which individuals are now aware of their rights under data privacy and security laws, and the relative ease with which they can be enforced, make it likely that some of the defining aspects of US litigation – large settlement awards and group actions, among others – may become an increasingly common feature of EU and UK cyber disputes.

General Data Protection Regulation

The GDPR provides for two forms of private action. Article 79(1) entitles individuals to an effective judicial remedy when their rights are infringed by the processing of personal data by a controller or processor in violation of the GDPR. Article 79(1) has a wider application than the DPD regime in two important respects.

First, it does not limit liability for compensation to controllers, the result being that if controllers and processors are involved in data processing that infringes the GDPR, each shall be held liable to the data subject for the entire damage.  Second, Article 82(1) makes it clear that both material and non-material damage is actionable under the GDPR (i.e, compensation is not limited to when an individual suffers financial harm). Practitioners may be familiar with the decision in Vidal-Hall, in which the English Court of Appeal in 2015 interpreted that country's pre-GDPR regime as permitting compensation for non-pecuniary losses. Indeed, the scope for emotional damage caused as a result of cybersecurity incidents (e.g., the distress associated with the theft of personal information) means compensation claims for non-pecuniary losses are likely to be a defining feature of the EU and UK litigation landscape in the coming years.

Article 80 of the GDPR entitles not-for-profit bodies and other public interest organisations to seek effective judicial remedy on behalf of individuals. The ability to issue group proceedings in respect of cyber incidents is a significant development for the EU and UK, and may come to represent a key tool by which controllers and processors are held to account. However, the extent to which this prospect will be realised depends in part on the Member States, as they are given discretion as to whether, and if so how, the GDPR's collective redress provisions are implemented in each territory.  Indeed, in early 2021, the UK government announced that it would not allow consumer groups and other not-for-profit bodies to bring actions on individuals' behalf on an opt-out basis. At the time of writing, these provisions are also not being applied evenly across the EU and UK, with early indications suggesting that Member States are unwilling to grant not-for-profit bodies the ability to bring actions on data subjects' behalf (i.e., in a manner similar to the opt-out class actions with which US practitioners will be familiar). In the UK, for example, a court recently ruled that a law firm's costs of building a group action by soliciting potential claimants (e.g., marketing and other advertising costs) were not recoverable costs, thus likely impacting the profitability of organisations seeking to bring about these kinds of actions. 

Differences between EU laws and national laws

A key driver behind the introduction of the GDPR was the lack of harmonisation that had developed as a result of the diverging approaches Member States had taken in implementing the DPD.  Such fragmentation also exists in respect of Member States' approach to collective redress, and following Brexit this divergence may continue apace in the UK. This is particularly important in the context of cybersecurity, given that (as noted above) some national legislatures may be unwilling to implement the provision in Article 80(2) of the GDPR that permits a form of opt-out class action. A study commissioned by the European Parliament and published in October 2018 revealed the extent to which the landscape remains uneven.  Among other things, the Member States surveyed differed – often significantly – in the forms and scope of redress available, the standing to bring actions, and the fees and funding models. For example, contrary to their previously restrictive approach, German courts are increasingly granting significant damages in mass data litigations. To address these considerations, on 25 November 2020, the EU and UK adopted a new directive dealing with representative actions that will allow qualifying organisations to bring about collective actions on behalf of consumers throughout the EU and UK.  In addition to these developments, the wider emphasis on consumer protection by the EU and UK's governing bodies makes it probable that, in addition to the GDPR's provisions on collective actions, individuals will in the near future have a range of tools with which to bring mass claims in relation to cybersecurity and related incidents.

Subscribe here for related content, breaking news and market analysis from Global Investigations Review.

Global Investigations Review provides exclusive news and analysis and other thought-provoking content for those who specialise in investigating and resolving suspected corporate wrongdoing.