IT and data

Cyber security in the Retail & Consumer industry:

Published on 24th Feb 2022

Protecting your brand from hackers and how to deal with cyber attacks

In a digitalised economy, companies in the retail sector are big targets for cyber criminals. The new cyber security risk landscape has been transformed by the increase in remote working, the growth in the number of connected devices, and the ever growing sophistication of threat actors, e.g. through ransomware attacks. Between 2019 and 2023 an amount of more than EUR 300 billion of lost revenues are estimated due to cyber attacks by the retail industry worldwide. Further, such issues are under growing public scrutiny, illustrated, for example, by the latest Log 4 Shell vulnerability.

Why is cyber security relevant especially for companies in the retail sector?

  • The retail industry typically processes huge amounts of personal data from their customers.
  • Hackers select targets based on their financial capability. Many big retail companies are thus attractive targets for extortion.

Which (direct and indirect) sources of law obligate companies to implement cyber security measures? 

  • Cyber security law is unfortunately fragmented. 
  • Obligations for retail companies can thus stem from various sources in public and private law, for example the GDPR, product liability and product security law, EU directives on cyber security as well as from contracts with customers or business partners. 

How may cyber security be required to protect your intellectual property?

Besides the obvious economic self-interest of each company to keep its IP confidential, insufficient protection of IP against cyber risks may also have legal implications. For instance, under EU law, trade secrets only remain protected as such if safeguarded by appropriate (cyber) security measures.  

What legal consequences can arise if your brand falls victim to a cyber attack?

  • notification obligations of your company vis-á-vis authorities
  • investigations, measures and sanctions by authorities
  • claims by affected parties, such as consumers or contractual partners.

What to do in the first place to protect you brand from cyber attacks?

Besides the obvious factual need to implement any such measures, from a legal perspective it is imperative to produce appropriate documentation as well as internal measures on how to protect company asset. Further, a company should, in preparation to any such incidents, clearly allocate responsibilities among its personnel and appropriate contingency plans. For example, these should set out clearly reporting obligations towards authorities and reporting lines inside the company. 

Aspects where cyber security becomes a legal matter – and where we can help 


You can download the flyer here.

Interested in hearing more from Osborne Clarke?

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Related articles