Increased remote working has increased breach exposure
Internet-facing devices and applications are ever more commonly used for remote working. Increased digitalisation and internet-facing infrastructure increases the attack surface which attackers seek to exploit.
The obligation for the data controller is to have in place appropriate technical and organisational measures to protect personal data. When notified of an incident, the Information Commissioner's Office (ICO) may take the opportunity to assess such measures in detail. The monetary penalty notices issued to British Airways and Marriot remain a key source of the technical and organisational measures that the ICO expects to see. The European Data Protection Board (EDPB) Guidelines on Examples regarding Data Breach Notification also provide helpful guidance on technical and organisational measures (see below).
A review of the measures in place, including vulnerability scans to identify potential gaps, may avert the exploitation of any issues in that increased attack surface. Companies should also be proactive in asking their suppliers and contractors what they are doing to bolster their cyber defences, to avoid supply chain risk.
Ransomware continues to present significant business risk
Increasingly common ransomware attacks continue to pose both significant business disruption risk and considerable regulatory risk, not least because such attacks are often accompanied by exfiltration of data. "Ransomware as a service" models have upskilled would-be attackers and provided access to more sophisticated malware, which can extract data without trace.
When faced with circumstances in which there are pragmatic reasons to pay a ransom to release encrypted data or seek to prevent the release of exfiltrated data, very careful consideration is required as to whether it would be legal (and otherwise sensible and ethical) to make any ransom payment.
Follow on litigation
Follow on litigation arising from data protection issues is becoming a business risk that may rival or exceed regulatory action. The data claims market in the UK is particularly active, with claimant firms poised to seize on any publicised data security incidents.
European Data Protection Board Guidelines on Examples regarding Data Breach Notification
The EDPB has published guidelines, for consultation at this stage, which set out examples of data incidents and the responses that the EDPB would expect to those scenarios. This extends to whether notification to a supervisory authority or to data subjects would be expected. The stated aim is to help data controllers decide how to handle data breaches and the factors to consider during risk assessments. The guidance is intended to sit alongside the existing 6 February 2018 Article 29 Working Party guidance on assessing risk, which was adopted by the EDPB.
The guidelines document is not yet in its final form. Businesses were invited to provide comments by 2 March 2021. A date has not yet been given for the provision of an updated version.
The guidelines offer insight into the expectations of the supervisory authorities that form the EDPB, and include helpful lists of the technical and organisational measures that may have mitigated the examples provided.
Proposed legislation for security requirements in smart devices
A new law to make sure virtually all smart devices meet new requirements has been proposed by the Department of Culture, Media & Sport. The ubiquitous use of internet-enabled and smart devices, many of which have been developed with little regard to security, has encouraged the government to act in response to the threat posed by these devices.
The proposal includes that virtually all smart devices would meet new requirements:
- customers must be informed at the point of sale of the duration of time for which a smart device will receive security software updates;
- a ban on manufacturers using universal default passwords, such as "password" or "admin", that are often preset in a device’s factory settings and are easily guessable; and
- manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
The government intends to introduce legislation as soon as parliamentary time allows.