In the cases of Clarkson Plc v Person(s) Unknown (“Clarkson”) and PML v Person(s) unknown (“PML”), the court has created a new tool in the fight against cyber attackers. The defendants who are unknown person(s) gained unauthorised access to the claimants’ IT systems and acquired a considerable quantity of information. The unknown defendant(s) then threatened to publicise the information unless a substantial sum was paid. Despite not being able to identify the attackers directly the court was prepared to grant an injunction. Continue reading
The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.
The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy. Continue reading
In anticipation of the GDPR, various guidance has been published by the Article 29 Working Party, the body of national EU data regulators.
Of most relevance in the cyber context is the guidance on personal data breach notifications; the Article 29 Working Party issued its initial guidance in October 2017 and published a final version of the guidelines (which remained mostly unchanged) in February 2018.
This guidance relates to the new requirement under the GDPR for all controllers to notify the appropriate data protection authority of a personal data breach, following a cyber attack for example. This will include providing the regulator with a significant amount of information about the breach and marks a change from the previous regime (under the Data Protection Act 1998) where notification to the ICO was not mandatory, although the ICO encouraged notification for serious breaches.
The key areas addressed by the guidance include further clarity on what constitutes awareness of a breach, when notification is and is not required in respect of examples of different types of breaches, when the clock starts running in relation to the 72 hour deadline and how to manage conflicting requirements of the GDPR and those of law enforcement authorities outside of the EU. For further information, a copy of the guidance can be found here.
In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.
The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.
With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.
For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:
- The GDPR: the “whole of business” issue at the top of your board agenda
- The rise of the intelligent business: spotlight on employers
- Extending the long arm of the law: Extra-territoriality and the GDPR
- Data use – protecting a critical resource
- Supply Chain Arrangements: The ABC to GDPR Compliance