Compliant or not: the GDPR is here

The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.

With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.

For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:

  1. The GDPR: the “whole of business” issue at the top of your board agenda
  2. The rise of the intelligent business: spotlight on employers
  3. Extending the long arm of the law: Extra-territoriality and the GDPR
  4. Data use – protecting a critical resource
  5. Supply Chain Arrangements: The ABC to GDPR Compliance

Continue reading

Managing cyber security risks in the telecommunications sector

Cyber security remains in the public eye with multiple incidents and vulnerabilities reported affecting telecoms companies. Telecoms companies need to continue to focus on the risks and consider updating their pro-active defence and cyber security response plans to reflect the increased legal, operational, technical and regulatory risks they are facing.

The evolution of the cyber threat has not escaped the attention of governments around the world. In 2018 the Network and Information Security Directive (NISD) as well as the General Data Protection Regulation (GDPR) will be implemented in the EU. The NISD, which is due to be implemented by May, will require operators of core “digital infrastructure” and certain “digital service providers” to ensure that their network and information systems meet minimum standards of cyber security. Continue reading

Cyber insurance requirements in commercial contracts: getting it right

Cyber incidents have the capacity to cause many different types of loss. Insurance coverage exists for at least some aspects of cyber risks in the UK market. However, given the range and diversity of risks that may arise, there are some key issues for businesses to consider when it comes to insurance against cyber risks in commercial contracts. Our recent article considers these issues in more detail.

This article was first published in the December 2017 issue of PLC Magazine.

Continue reading

UK Government support for connected and autonomous vehicle industry and related cyber concerns

Driverless vehicles are fast becoming a reality. It is estimated that the UK driverless car industry will be worth £28 billion to the UK economy and employ 27,000 people by 2035.

In light of this, it is unsurprising that in its 2017 Autumn Budget, the UK Government committed to boosting productivity (by supporting emerging technologies in order to build an economy that is driven by innovation). This includes an intention to lead in development standards and ethics for the use of data and AI, and to create the most advanced regulatory framework for driverless cars in the world.

The Budget sets out the steps that the Government is taking to ensure the UK is a leader in the development and deployment of new technologies. This includes plans to invest £1 billion in technology projects, including £400m for electric car charging points and £75m for research on artificial intelligence. The Government has also stated that is expects to see fully automated vehicles in commercial use in the UK by 2021 and that it will amend the regulatory framework where appropriate to help support this aim. The National Infrastructure Commission also plans to launch a new innovation prize to determine how future roadbuilding should adapt to support driverless cars. Continue reading

Cyber insurance requirements in commercial contracts: getting it right

Cyber incidents have the capacity to cause many different types of loss. Insurance coverage exists for at least some aspects of cyber risks in the UK market. However, given the range and diversity of risks that may arise, there are some key issues for businesses to consider when it comes to insurance against cyber risks in commercial contracts. Our recent article considers these issues in more detail and can be found here. 

Continue reading

UK’s cyber security breaches survey and Verizon’s data breach report suggest progress – but more to do

April 2017 welcomed two insightful publications on the current cyber security landscape. The UK Department for Culture, Media and Sport’s annual Cyber Security Breaches Survey (the “Survey“) and Verizon’s 2017 Data Breach Investigations Report (the “Report“), highlight the changing attitude of businesses toward cyber security, the specific threats facing organisations, and the opportunities for mitigating cyber crime. Whilst the results of these two publications suggest some advances in cyber security awareness, they also highlight a lack of preparedness which makes the extent of the recent “WannaCry” cyber attack in May 2017 (see above) somewhat unsurprising. Continue reading

New Mirai based malware variants – BrickerBot and a Bitcoin miner

The Mirai malware gained its infamy in October 2016 following its record breaking attack on systems operated by domain name system provider Dyn, using unsecured Internet of Things (“IoT“) enabled “smart” devices (such as CCTV recorders, webcams and routers). It resulted in the widely reported outage of Twitter, Netflix, Spotify and Airbnb, amongst others.

Mirai is highly effective as it targets devices which often run unattended, do not have anti-virus installed, and have no external visual indication that they have been compromised. Mirai works by systematically trying the 62 most common default username/password combinations against the Telnet/SSH port of internet connected devices in an attempt to gain administrative access to the device. Whilst simple, the sheer number of vulnerable devices on the internet means that “botmasters” (the creators and controllers of the collections of compromised computers and IoT devices (each a bot and together a botnet)) have been able to create and sustain botnets containing up to 100,000 devices. Botmasters are then able to sell the use of their botnets online to the highest bidder for use in, for example, Distributed Denial of Service attacks against specific targets (e.g. Dyn). Continue reading

Scientific opinion commissioned by the European Commission makes ten recommendations on cyber security in the Digital Single Market

On 24 March 2017, the European Commission’s Scientific Advice Mechanism published an independent scientific opinion on cyber security in the Digital Single Market to aid EU-level policy makers. The opinion includes ten broad recommendations for simplifying and securing online operations undertaken by people and businesses throughout the EU Continue reading