Securing Digital Frontiers: Legal Tactics for Cybersecurity
Introduction
The UK cybersecurity landscape is clearly rapidly evolving…and with great innovation in a time of widespread remote working, comes more increasingly complex cyber threats and equally more stringent data privacy regulations, to keep up.
Therefore, as technology advances, so too does the demand for strong cybersecurity measures and legal expertise to navigate the environment. Around 90% of UK businesses have encountered greater risk exposure to cyber security threats as a result of the increase in digital use over the past two years; likewise, there have been an estimated 2.39 million cases of cybercrimes affecting UK businesses over the past 12 months. This surging trend underlines the stark reality of our digital age: cybersecurity is no longer a luxury, but a necessity.
Mega-Breaches & Mega-Wakeup Calls
A recent example of the alarming increase in data breaches is the incident involving British Airways in September 2018, when British Airways experienced a massive data breach resulting in around 500,000 customers’ personal and financial information being compromised.
The sophisticated breach targeted the airline's website and mobile app, allowing the attackers to gain unauthorized access to customer data, names, addresses, payment card details and travel booking information. This unfortunate incident served as a wake-up call for many, highlighting the pervasive vulnerability of rapidly evolving digital systems and the harsh consequences of inadequate security measures.
Similarly, following Yahoo first publicly announcing one of the largest data breaches in history in December 2016, which impacted 3 billion accounts (and was said to have taken place in 2013), a series of legal strategies including, regular risk assessments, development of robust incident response plans, and firmer compliance with data privacy regulations were strictly mandated for the organisation.
Hackers vs. Regulators
As data privacy continues to be a global concern, the UK government remains firm in implementing globally applicable laws to protect its citizens and businesses. The UK's cybersecurity standards are found in key laws: Data Protection Act 2018 which implements the UK GDPR, the NIS Regulations, the Privacy and Electronic Communications Regulations 2003 (PECR) the Product Security and Telecommunications Infrastructure Act 2022.
On 22 June 2023, the National Cyber Security Centre (NCSC) published the "Cyber Threat Report: UK Legal Sector" report which provided an overview of the growing cyber threat to the legal sector and offered practical guidance on improving cyber resilience.
Since the UK GDPR’s branching off from its EU counterpart, a looming question has been: how much will the two data protection regimes diverge? With the Data Protection and Digital Information (DPDI) Bill (which sets out the current proposal to reform UK data protection law) nearing completion in the House of Lords, the expectation is that it will become law around spring 2024.
Transformative Shifts
There are a number of important changes affecting cyber security which are introduced by the Bill, and which businesses will need to consider should they come into effect as proposed, below.
Businesses should additionally take note that the bill encompasses changes to the “personal data” definition.
Records of processing
Businesses (whether controllers or processors) will only need to keep records of processing where a processing activity is likely to result in a high risk to the rights and freedoms of individuals, regardless of the size of their business (including the number of employees the business has).
Removal of Data Protection Officers
Businesses will no longer need to appoint a Data Protection Officer (DPO); instead, if they carry out high risk processing (or are a public authority), they will be required to designate a "senior responsible individual" who will be accountable for data protection compliance.
Removal of DPIAs
Businesses will no longer need to conduct data protection impact assessments (DPIAs). In its place, they will need to implement an "assessment of high-risk processing".
Removal of need for a UK representative
Data controllers that are not established in the UK no longer need to appoint a data protection representative within the UK.
Data subject access requests
The bill changes the test for refusing and charging for data subject access requests. If enacted, the "manifestly unfounded and excessive" test would be replaced by a "vexatious and excessive" test.
Expanding use of cookies without consent
Currently, only "strictly necessary" cookies may be used without consent. The bill expands the categories of cookies that do not need consent to be dropped, including cookies collecting data for purposes such as statistical analysis and improvement of service or website use; however, users would still need to be given comprehensive information, and an opportunity to opt out.
Legitimate interests
In its operative provisions, the bill now includes examples of the types of processing that may be considered necessary for the purposes of a legitimate interest. These include processing for direct marketing purposes, intra-group transmission of personal data for internal administration purposes, and processing which is necessary to ensure the security of network and information systems.
'Recognised legitimate Interests'
The bill introduces a limited number of "recognised legitimate interests". This means that, provided a business can demonstrate that processing is "necessary" for one of the recognised legitimate interests, that business will no longer be required to balance its legitimate interest against the data subject's interests, rights and freedoms.
Changes to International Transfers
A risk-based approach to the international transfer of personal data is introduced, meaning that organisations would be able to assess the data protection risks involved in using mechanisms such as the ICO's international data transfer agreement (IDTA) or Addendum for those transfers, and then decide on appropriate mitigation measures.
Automated Decision-Making
The bill reframes the provisions on automated decision-making to be a requirement for safeguards to be in place, rather than a prohibition with exceptions. More stringent provisions apply where an automated decision is based entirely or partly on special categories of personal data.
Scientific Research
The existing exceptions which apply for processing for the purposes of scientific research have been amended to make clear that they cover any research that can reasonably be described as scientific, whether publicly or privately funded, and whether carried out as a commercial or non-commercial activity.
ICO Restructure
The ICO's name will change to the Information Commission. The Information Commission will act as an independent body corporate, with new reporting obligations to the government.
The Secretary of State will have greater oversight over the Information Commission, which means the government has the potential to influence guidance and codes of conduct.
Changes to PECR
The bill increases the maximum amount of fines under PECR to be brought in line with the UK GDPR and Data Protection Act 2018, enabling the ICO to issue fines of up to £17.5 million or 4% of a business's global turnover for breaches of certain regulations under PECR, and up to £8.7 million or 2% of a business's global turnover for other breaches of PECR.
Providers of public electronic communications services will have an obligation to notify the ICO if they have reasonable grounds for suspecting that their users have contravened the direct marketing rules.
How Legal Strategies Become Your Cyber-Defence
Primarily, organisations must have legally sound incident response policies and procedures in place, which clearly outline the steps to take during and after a cyber-attack.
Another crucial legal tactic is implementing strong contractual protections in relationships with all counterparties and third parties.
This involves ensuring that all contracts with service providers, business partners, and suppliers for example will include robust clauses relating to data protection and cybersecurity. These contracts should clearly define responsibilities, set expectations for security standards, and establish protocols for breach notification.
Don't wait for the breach: Let's build your defences together. Get in touch today for a consultation on securing your organization with legally sound policies and procedures. We'll guide you through the process and ensure you are legally protected.
