Privacy and cyber security issues will combine in the build-up to the GDPR

As boards continue to budget for and have oversight of cyber security, it naturally follows that they should do the same for the General Data Protection Regulation (GDPR). The GDPR will introduce sanctions of up to 4% of worldwide turnover of the relevant undertaking or €20m, plus a new regime of mandatory breach notification to both regulators and individuals affected, in certain circumstances. While it is primarily a privacy law, a key tenet concerns data security. There is therefore an inevitable link between them. The UK National Cyber Security Strategy expressly states that the GDPR will be used to drive up cyber security standards. Cyber security has rightly featured as one of the most pressing corporate risk areas for the last few years. Political, corporate and public awareness surrounding the need to improve cyber security has increased and the expected increase in sanctions for cyber security breaches will encourage corporates to take preventative steps and look for increased insurance cover.

Cyber threats will manifest as an increasing risk of cyber terrorism…

There is an increasing threat of effective cyber terrorism as the skills required to conduct malicious cyber attacks are becoming less complex and more accessible. Recent events have shown terrorists’ focus on carrying out attacks on our home soil. Cyber enables terrorists to do so from anywhere in the world. While there is a debate around whether terrorists using cyber means amounts to cyber terrorism or whether it simply remains terrorism, there is no avoiding the fact that terrorists will be prepared to use whatever means available to further their objectives. The UK National Cyber Security Strategy noted in 2016 that “The technical capability of terrorists currently remains limited but they continue to aspire to conduct damaging computer network operations against the UK, with publicity and disruption as the primary objective of their cyber activity”.

…and an increasing frequency of systemic IT outages, either maliciously or by operator error

The global WannaCry ransomware attack in May 2017, which hit organisations from all sectors across the globe, highlighted corporate and institutional vulnerability as a result of the exponential increase in computer power. Our ever-increasing reliance on electronic systems and networks in every part of our private and commercial lives allows cyber criminals to deny access to systems and data (through ransomware or Denial of Service attacks) or simply threaten to do so. However, often it does not take a hacker to take down an electronic system. Human error, software bugs, and the integration of new systems into legacy systems, are just some non-malicious causes of major outages. In light of this, companies should increase their focus on being cyber ‘resilient’ and not just cyber ‘secure’.

Awards of compensation for privacy and security breaches increasing

In much the same way that someone might have suffered a slip or trip 20 years ago without further thought but would now seek compensation, it is clear that a similar change is underway in the field of privacy and data protection compensation. As a firm, we have seen a marked increase in such claims being made against companies and organisations across all sectors. Individuals are increasingly aware and concerned about the volume and variety of their personal data that companies are storing and passing on to third parties. The judiciary is also more prepared than ever to recognise the effect on individuals caused by the breach of their privacy or the misuse of their private information. Over the last two years, UK courts have issued a string of judgments enhancing such rights and increasing compensation awards. The General Data Protection Regulation will enshrine such rights across the whole of the European Economic Area.

Key developments