Regulatory Outlook: Cyber Security - November 2016
Published on 29th Nov 2016
NIS Directive: The EU Network and Information Security Directive (NIS Directive) requires organisations affected by it to take certain measures to prevent and minimise the effect of cyber breaches, and to notify the relevant authority of any breaches that take place.
The NIS Directive will apply to providers of ‘critical infrastructure’ in the following sectors: energy, water, banking, financial markets infrastructure, transport, healthcare and digital infrastructure. It will also apply to providers of certain digital services, such as online marketplaces, search engines and cloud computing providers.
National governments have until May 2018 (when the EU General Data Protection Regulation (GDPR) also comes into force) to identify the providers of ‘critical infrastructure’ and set out the minimum standards that those providers need to comply with, along with sanctions for breach. Given the timing and nature of the NIS Directive, the UK is likely to pass and retain national cyber security legislation in this or a similar form, regardless of the shape Brexit takes.
Vulnerabilities of connected devices: The growing Internet of Things (IoT) raises a number of security issues. The fundamental concern is that connectivity is often built into devices, without sufficient attention being paid to cyber security. This can create obvious dangers to the users of those devices, such as the hacking of a connected car or the theft of sensitive personal data from wearables or other healthcare devices. Recent high-profile attacks have also shown how IoT devices can be hijacked and used to mount large distributed denial-of-service (DDOS) attacks.
These vulnerabilities have already led to a number of manufacturers issuing mass product recalls. With potential liability for cyber breaches likely to increase (see the following enforcement section), the incorporation of ‘security by design’ will be increasingly important for manufacturers and users of IoT devices.
Ransomware: Along with the sort of data theft and DDOS attacks that have been a focus for some time, there is a growing trend in ‘ransomware’ attacks, which involve locking down a computer or wider system, then demanding a payment to restore access. As with many cyber threats, ransomware often targets individual employees, as the ‘weak link’ in an organisation’s cyber security system.
Risk mitigation: While a large proportion of cyber risks can be countered through simple steps such as employee training and policies, sophisticated attacks are much more difficult to stop, and any business could easily find itself the victim of a major breach.
Most businesses have some sort of crisis management plan, but it is vital to ensure that there is a dedicated cyber incident response plan, and that this has been thoroughly stress-tested. Along with technical measures such as locating and isolating attack vectors and protecting high-value IP, the plan will need to provide for early stage investigation, notification, PR management and any HR issues.
Cyber insurance: Specific cyber security insurance is becoming more common in the UK. The nature and extent of this insurance can vary widely, but with premiums in some other areas reducing, many businesses are now considering the addition of cyber security insurance. This is particularly important as industry surveys typically reveal a gap between the levels of cover that businesses think they have under non-specialist policies, and the actual levels of cover under those policies for cyber breaches.
In Focus: Enforcement
Currently the UK does not have a designated cyber security regulator. However, businesses can face regulatory or private enforcement action following a cyber breach if they do not have appropriate safeguards in place against such attacks.
The Information Commissioner’s Office (ICO) is responsible for enforcing data protection law in the UK. One of the principles under the UK Data Protection Act 1998 (DPA) is that appropriate technical and organisational measures must be in place to combat unauthorised or unlawful processing of personal data. The ICO also expects data security breaches to be reported to it, particularly where there is the potential for harm to individuals.
The ICO has a range of enforcement powers that it can call on to enforce data security obligations, including statutory information requests, or requiring organisations to give undertakings to improve their compliance. The ICO can also issue fines, currently up to £500,000, and it has already issued a fine of £400,000 for a major cyber security breach. Publicity around the enforcement can be equally as damaging as the fine itself. In the press release relating to the fine of £400,000, Information Commissioner Elizabeth Denham made the point that “yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.”
When the GDPR comes into force in May 2018, the maximum amount for a fine will increase very significantly, to the greater of €20 million or 4% of annual worldwide turnover. The GDPR also includes a specific obligation to notify the ICO within 72 hours of becoming aware of a data security breach, and the ICO may require the organisation to notify affected data subjects.
As well as the GDPR, the NIS Directive will also implement specific regulatory obligations for those affected by it (operators of ‘critical infrastructure’ and certain tech, media and comms businesses), around minimum standards and breach notification. However, the NIS Directive is not prescriptive as to what exactly these requirements will be; this will be a matter for national governments when it comes to implementing legislation. It remains to be seen whether the UK will opt for a new cyber security regulator to enforce the obligations under the NIS Directive, and if so, what powers and sanctions that regulator will have available to it.
Along with enforcement by the ICO, individuals can bring private claims for breaches of the DPA if they have suffered ‘damage’ as a result. The 2015 Court of Appeal case of Google v Vidal-Hall confirmed that, applying the meaning of the EU directive that the DPA implemented, ‘damage’ could include personal distress. Google had been given permission to appeal that ruling to the Supreme Court, but settled the case before its appeal was heard.
The Google judgment means that where an organisation has suffered a cyber breach leading to the loss or misuse of personal data, and the organisation did not have appropriate security measures in place, affected individuals may have claims against that organisation.
The GDPR has enshrined this right for individuals to bring a claim if they have suffered ‘material or non-material’ damage as a result of any breach of the GDPR. With cyber attacks ever increasing in number and magnitude, we are likely to see a rise in group claims brought by individuals whose data has been compromised against the organisation that has suffered the attack.
Dates for the diary
9 May 2018
Deadline for the NIS Directive to be implemented into national law.
25 May 2018
GDPR comes into force.
For more information and details of all of the other areas covered by the Regulatory Outlook click here.